CVE-2026-35388
published 2026-04-02CVE-2026-35388: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
PriorityP410low2.5CVSS 3.1
AVLACHPRNUIRSUCNILAN
EPSS
0.13%
3.0th percentile
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| msrc | azl3_openssh_9.8p1-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_openssh_8.9p1-9_on_cbl_mariner_2.0 | — | — |
| openbsd | openssh | < 10.3 | 10.3 |
| paloalto | prisma_sd | — | — |
| ubuntu | openssh | — | — |
CVSS provenance
nvdv3.12.5LOWCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
osv2.5LOW
vendor_ubuntu7.5HIGH
vendor_debian2.5LOW
vendor_msrc2.5LOW
vendor_redhat2.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2026-06-10·CVSS 8.1
CVE-2026-35385 [HIGH] PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388, CVE-2026-35414
Affected products: Prisma SD
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-04-29·CVSS 7.5
CVE-2026-35414 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)
Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)
Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintend
Red Hat
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
vendor_redhat·2026-04-02·CVSS 2.5
CVE-2026-35388 [LOW] CWE-306 OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a multiplexed session without explicit confirmation, leading to unintended data handling.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation ba
Microsoft
CVE-2026-35388: Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
vendor_msrc·2026-04-02·CVSS 2.5
CVE-2026-35388 [LOW] CWE-420 CVE-2026-35388: Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Debian
CVE-2026-35388: openssh - OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode mu...
vendor_debian·2026·CVSS 2.5
CVE-2026-35388 [LOW] CVE-2026-35388: openssh - OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode mu...
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
VulDB
OpenSSH up to 10.2 Proxy-mode Multiplexing Session unprotected alternate channel (Nessus ID 306743)
vuldb·2026-04-16·CVSS 2.5
CVE-2026-35388 [LOW] OpenSSH up to 10.2 Proxy-mode Multiplexing Session unprotected alternate channel (Nessus ID 306743)
A vulnerability was found in OpenSSH up to 10.2 and classified as problematic. Affected by this issue is some unknown functionality of the component Proxy-mode Multiplexing Session Handler. The manipulation results in unprotected alternate channel.
This vulnerability is known as CVE-2026-35388. Attacking locally is a requirement. No exploit is available.
It is suggested to upgrade the affected component.
OSV
CVE-2026-35388: (OpenSSH before 10
osv·2026-04-03·CVSS 2.5
CVE-2026-35388 [LOW] CVE-2026-35388: (OpenSSH before 10
(OpenSSH before 10.3 omits connection multiplexing confirmation for pro ...)
GHSA
GHSA-9fjj-jvxf-738c: OpenSSH before 10
ghsa_unreviewed·2026-04-02
CVE-2026-35388 [LOW] CWE-420 GHSA-9fjj-jvxf-738c: OpenSSH before 10
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
OSV
CVE-2026-35388: OpenSSH before 10
osv·2026-04-02·CVSS 2.5
CVE-2026-35388 [LOW] CVE-2026-35388: OpenSSH before 10
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35388 openssh: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions [fedora-all]
bugzilla·2026-04-03·CVSS 2.5
CVE-2026-35388 [LOW] CVE-2026-35388 openssh: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions [fedora-all]
CVE-2026-35388 openssh: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-2cedc95af8 (openssh-10.0p1-9.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2cedc95af8
---
FEDORA-2026-93679cc7c2 (openssh-10.2p1-8.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-93679cc7c2
Bugzilla
CVE-2026-35388 OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
bugzilla·2026-04-02·CVSS 2.5
CVE-2026-35388 [LOW] CVE-2026-35388 OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
CVE-2026-35388 OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10.0 Extended Update Support
Via RHSA-2026:12389 https://access.redhat.com/errata/RHSA-2026:12389
Wiz
CVE-2026-35388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35388 [HIGH] CVE-2026-35388 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35388 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Source : NVD
## 2.5
Score
Published April 2, 2026
Severity LOW
CNA Score 2.5
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh
cpe:2.3:a:openbsd:openssh
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity LOW No Fix Added at: Apr 02, 2026
Red Hat 6, 7, 8, 9, 10 Severity LOW No Fix Added at: Apr 05, 202
Wiz
CVE-2026-3497 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-3497 [MEDIUM] CVE-2026-3497 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3497 :
OpenSSH vulnerability analysis and mitigation
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workar
Wiz
CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35386 [HIGH] CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35386 :
OpenSSH vulnerability analysis and mitigation
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Source : NVD
## 3.6
Score
Published April 2, 2026
Severity LOW
CNA Score 3.6
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openbsd:openssh
openssh-clients
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 1
Wiz
CVE-2026-35385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35385 [HIGH] CVE-2026-35385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35385 :
OpenSSH vulnerability analysis and mitigation
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Source : NVD
## 7.5
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh-ldap
openssh-server
Sources
NVD
Debian 11, 14 Severity HIGH No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at:
Wiz
CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35387 [HIGH] CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35387 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
Source : NVD
## 3.1
Score
Published April 2, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh-cavs
openssh-keysign
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity LOW No Fix
Wiz
CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35414 [HIGH] CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35414 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Source : NVD
## 5.4
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openbsd:openssh
openssh-cavs
Sources
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity MEDIUM No Fix Added at: Apr 02, 2026
Ho
2026-04-02
Published