Skip to main content

OpenSSH CVE-2026-60001

| EUVDEUVD-2026-42145 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-08 mitre GHSA-8pmr-cc7f-4v7w
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Remotely triggerable with no authentication; impact bounded to throttle bypass enabling faster brute-force (I:L) and minor resource exhaustion potential (A:L), with no confidentiality impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 02:01 EUVD
Analysis Generated
Jul 08, 2026 - 01:23 vuln.today

DescriptionCVE.org

sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

AnalysisAI

OpenSSH sshd before version 10.4 fails to consistently enforce its built-in minimum authentication delay, undermining the rate-limiting defense designed to slow credential-guessing attacks against SSH services. All OpenSSH releases prior to 10.4 are affected across all platforms, enabling unauthenticated remote attackers to submit authentication attempts at a rate higher than the daemon intends to permit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to exposed SSH port
Delivery
Initiate rapid successive auth attempts
Exploit
Bypass sshd minimum delay throttle
Execution
Enumerate credentials at elevated speed
Persist
Brute-force valid account credentials
Impact
Authenticate as compromised user

Vulnerability AssessmentAI

Exploitation No special non-default configuration is required for the throttling bypass to be triggerable - the flaw exists in sshd's core authentication delay logic present in all default OpenSSH deployments prior to 10.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L correctly characterizes this as a remotely exploitable, zero-complexity flaw requiring no authentication, but with bounded impact: only limited integrity impact (accelerated credential guessing weakens the authentication posture) and limited availability impact (potential resource exhaustion from uninhibited connection floods). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker targets an Internet-exposed SSH service running OpenSSH prior to 10.4 with password authentication enabled, using an automated tool to submit successive login attempts against a target account without observing the per-attempt delay sshd is supposed to enforce. The attacker cycles through a credential list at a rate significantly higher than the daemon intends, increasing the probability of a successful brute-force match against accounts using weak, common, or reused passwords. …
Remediation Upgrade to OpenSSH 10.4p1 or later, the vendor-released patch confirmed by release notes at https://www.openssh.org/releasenotes.html#10.4p1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Share

CVE-2026-60001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy