CVE-2026-35386
published 2026-04-02CVE-2026-35386: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username…
PriorityP347high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.25%
15.8th percentile
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| msrc | azl3_openssh_9.8p1-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_openssh_8.9p1-9_on_cbl_mariner_2.0 | — | — |
| openbsd | openssh | < 10.3 | 10.3 |
| paloalto | prisma_sd | — | — |
| ubuntu | openssh | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv3.6LOW
vendor_ubuntu7.5HIGH
vendor_debian3.6LOW
vendor_msrc3.6LOW
vendor_redhat3.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2026-06-10·CVSS 8.1
CVE-2026-35385 [HIGH] PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388, CVE-2026-35414
Affected products: Prisma SD
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-04-29·CVSS 7.5
CVE-2026-35414 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)
Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)
Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintend
Microsoft
CVE-2026-35386: Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
vendor_msrc·2026-04-02·CVSS 3.6
CVE-2026-35386 [LOW] CWE-696 CVE-2026-35386: Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Red Hat
OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
vendor_redhat·2026-04-02·CVSS 3.6
CVE-2026-35386 [LOW] CWE-78 OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
A flaw was found in OpenSSH. This vulnerability allows a remote attacker to achieve arbitrary command execution by injecting shell metacharacters into a username provided on the command line. Exploitation requires an untrusted username and a non-default configuration of the '%' character in `ssh_config`.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria co
Debian
CVE-2026-35386: openssh - In OpenSSH before 10.3, command execution can occur via shell metacharacters in ...
vendor_debian·2026·CVSS 3.6
CVE-2026-35386 [LOW] CVE-2026-35386: openssh - In OpenSSH before 10.3, command execution can occur via shell metacharacters in ...
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
VulDB
OpenSSH up to 10.2 Command Line ssh_config incorrect behavior order (Nessus ID 304834 / WID-SEC-2026-0979)
vuldb·2026-05-04·CVSS 8.1
CVE-2026-35386 [HIGH] OpenSSH up to 10.2 Command Line ssh_config incorrect behavior order (Nessus ID 304834 / WID-SEC-2026-0979)
A vulnerability classified as problematic has been found in OpenSSH up to 10.2. The impacted element is the function ssh_config of the component Command Line Handler. This manipulation causes incorrect behavior order.
This vulnerability is registered as CVE-2026-35386. The attack needs to be launched locally. No exploit is available.
It is recommended to upgrade the affected component.
OSV
CVE-2026-35386: (In OpenSSH before 10
osv·2026-04-03·CVSS 3.6
CVE-2026-35386 [LOW] CVE-2026-35386: (In OpenSSH before 10
(In OpenSSH before 10.3, command execution can occur via shell metachar ...)
GHSA
GHSA-v93f-5rx7-jm73: In OpenSSH before 10
ghsa_unreviewed·2026-04-02
CVE-2026-35386 [LOW] CWE-696 GHSA-v93f-5rx7-jm73: In OpenSSH before 10
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
OSV
CVE-2026-35386: In OpenSSH before 10
osv·2026-04-02·CVSS 3.6
CVE-2026-35386 [LOW] CVE-2026-35386: In OpenSSH before 10
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35386 openssh: OpenSSH: Arbitrary command execution via shell metacharacters in username [fedora-all]
bugzilla·2026-04-03·CVSS 3.6
CVE-2026-35386 [LOW] CVE-2026-35386 openssh: OpenSSH: Arbitrary command execution via shell metacharacters in username [fedora-all]
CVE-2026-35386 openssh: OpenSSH: Arbitrary command execution via shell metacharacters in username [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-2cedc95af8 (openssh-10.0p1-9.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2cedc95af8
---
FEDORA-2026-93679cc7c2 (openssh-10.2p1-8.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-93679cc7c2
Bugzilla
CVE-2026-35386 OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
bugzilla·2026-04-02·CVSS 3.6
CVE-2026-35386 [LOW] CVE-2026-35386 OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
CVE-2026-35386 OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Wiz
CVE-2026-35388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35388 [HIGH] CVE-2026-35388 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35388 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Source : NVD
## 2.5
Score
Published April 2, 2026
Severity LOW
CNA Score 2.5
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh
cpe:2.3:a:openbsd:openssh
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity LOW No Fix Added at: Apr 02, 2026
Red Hat 6, 7, 8, 9, 10 Severity LOW No Fix Added at: Apr 05, 202
Wiz
CVE-2026-3497 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-3497 [MEDIUM] CVE-2026-3497 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3497 :
OpenSSH vulnerability analysis and mitigation
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workar
Wiz
CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35386 [HIGH] CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35386 :
OpenSSH vulnerability analysis and mitigation
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Source : NVD
## 3.6
Score
Published April 2, 2026
Severity LOW
CNA Score 3.6
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openbsd:openssh
openssh-clients
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 1
Wiz
CVE-2026-35385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35385 [HIGH] CVE-2026-35385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35385 :
OpenSSH vulnerability analysis and mitigation
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Source : NVD
## 7.5
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh-ldap
openssh-server
Sources
NVD
Debian 11, 14 Severity HIGH No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at:
Wiz
CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35387 [HIGH] CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35387 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
Source : NVD
## 3.1
Score
Published April 2, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh-cavs
openssh-keysign
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity LOW No Fix
Wiz
CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35414 [HIGH] CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35414 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Source : NVD
## 5.4
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openbsd:openssh
openssh-cavs
Sources
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity MEDIUM No Fix Added at: Apr 02, 2026
Ho
2026-04-02
Published