CVE-2026-35386 — Incorrect Behavior Order in Openssh

CWE-696 — Incorrect Behavior Order CWE-78 — OS Command Injection9 documents8 sources

Severity

3.6LOWNVD

EPSS

0.0%

top 99.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh

Timeline

PublishedApr 2

Latest updateApr 3

Description

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.0 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5openbsd/openssh< 10.3

🔴Vulnerability Details

OSV

CVE-2026-35386: (In OpenSSH before 10↗2026-04-03

▶

CVEList

CVE-2026-35386: In OpenSSH before 10↗2026-04-02

▶

GHSA

GHSA-v93f-5rx7-jm73: In OpenSSH before 10↗2026-04-02

▶

OSV

CVE-2026-35386: In OpenSSH before 10↗2026-04-02

▶

📋Vendor Advisories

Microsoft

CVE-2026-35386: Mariner: Mariner mitre: mitre Customer Action Required: Yes↗2026-04-02

▶

Red Hat

OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username↗2026-04-02

▶

Debian

CVE-2026-35386: openssh - In OpenSSH before 10.3, command execution can occur via shell metacharacters in ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶