Skip to main content

OpenSSH EUVDEUVD-2026-18398

| CVE-2026-35385 HIGH
Improper Preservation of Permissions (CWE-281)
2026-04-02 mitre GHSA-jgqr-738j-43cg
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Attacker needs no local privileges (PR:N) but root must actively run scp with legacy -O and no -p against a hostile source, so UI:R and AC:H; setuid-root outcome yields full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

13
Analysis Updated
Jun 30, 2026 - 04:40 vuln.today
v6 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:40 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:39 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:38 vuln.today
v3 (cvss_changed)
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.1 (HIGH)
Analysis Updated
Apr 27, 2026 - 14:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 14:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:08 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.3
EUVD ID Assigned
Apr 02, 2026 - 17:00 euvd
EUVD-2026-18398
Analysis Generated
Apr 02, 2026 - 17:00 vuln.today
CVE Published
Apr 02, 2026 - 16:30 nvd
HIGH 7.5

DescriptionNVD

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

AnalysisAI

Privilege-escalation exposure in OpenSSH before 10.3 (fixed in 10.3p1) where scp, when run by root using the legacy SCP protocol flag -O and without -p (preserve mode), may write a downloaded file with setuid or setgid bits set, contrary to user expectation. A malicious or compromised SSH server (or a man-in-the-middle on the transfer) could thereby cause an attacker-controlled binary to land on disk as a setuid/setgid-root executable, enabling local privilege escalation when it is later run. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls or compromises source SSH server
Delivery
Root victim runs scp -O without -p
Exploit
Server advertises setuid/setgid mode bits
Execution
File written locally as setuid-root binary
Persist
Low-privileged user executes binary
Impact
Local privilege escalation to root

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following concrete conditions drawn from the description: the scp transfer must be performed by root; the legacy SCP protocol must be selected with the -O flag; the -p (preserve mode) flag must NOT be used; and the remote file source must be attacker-influenced (a malicious or compromised SSH server, or a MITM position on the transfer) so it can advertise setuid/setgid mode bits. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-conditional risk rather than an urgent mass-exploitation event. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator runs scp as root with the legacy -O flag (and without -p) to fetch a tool or binary from a server an attacker controls or has compromised. The malicious server marks the transferred file with the setuid-root bit, so it lands on the admin's host as a setuid-root executable; a low-privileged local user (or the attacker via a planted payload) then runs it to gain root. …
Remediation Vendor-released patch: upgrade to OpenSSH 10.3 / 10.3p1 or later (per https://www.openssh.org/releasenotes.html#10.3p1), or apply your distribution's fixed package - Ubuntu USN-8222-1 and the Red Hat RHSA errata listed above deliver the backported fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory of systems running OpenSSH versions prior to 10.3. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in SSH

View all
CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2025-26465 MEDIUM
6.8 Feb 18

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this

CVE-2025-12548 CRITICAL POC
9.0 Jan 13

Eclipse Che che-machine-exec exposes an unauthenticated JSON-RPC/WebSocket API on port 3333 that allows remote command e

CVE-2025-26466 MEDIUM
5.9 Feb 28

A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, n

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2025-67511 CRITICAL POC
9.6 Dec 11

A critical command injection vulnerability exists in the Cybersecurity AI (CAI) framework versions 0.5.9 and below, allo

CVE-2026-25539 CRITICAL POC
9.1 Feb 04

SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope

CVE-2026-30832 CRITICAL POC
9.1 Mar 07

SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal servi

CVE-2026-39832 CRITICAL POC
9.1 May 22

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH

CVE-2026-1324 HIGH POC
8.8 Jan 22

Operation And Maintenance Security Management System versions up to 3.0.12. is affected by command injection (CVSS 8.8).

CVE-2021-47871 HIGH POC
8.8 Jan 21

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write f

CVE-2026-25232 HIGH POC
8.8 Feb 19

Gogs is an open source self-hosted Git service. [CVSS 8.8 HIGH]

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

EUVD-2026-18398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy