CVE-2026-35414
published 2026-04-02CVE-2026-35414: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate…
PriorityP342high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.18%
7.3th percentile
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| msrc | azl3_openssh_9.8p1-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_openssh_8.9p1-9_on_cbl_mariner_2.0 | — | — |
| openbsd | openssh | < 10.3 | 10.3 |
| paloalto | prisma_sd | — | — |
| ubuntu | openssh | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
vendor_ubuntu7.5HIGH
vendor_debian4.2MEDIUM
vendor_msrc4.2MEDIUM
vendor_redhat4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2026-06-10·CVSS 8.1
CVE-2026-35385 [HIGH] PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2026-0009 Informational Bulletin: Impact assessment of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388, CVE-2026-35414
Affected products: Prisma SD
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-04-29·CVSS 7.5
CVE-2026-35414 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)
Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)
Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintend
Microsoft
CVE-2026-35414: Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
vendor_msrc·2026-04-02·CVSS 4.2
CVE-2026-35414 [MEDIUM] CWE-670 CVE-2026-35414: Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Red Hat
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
vendor_redhat·2026-04-02·CVSS 4.2
CVE-2026-35414 [MEDIUM] CWE-168 OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorized_keys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This could lead to security bypasses, potentially allowing unintended access or information disclosure in specific authentication contexts.
Mitigation: Mitigation for this issue is either not available or the curre
Debian
CVE-2026-35414: openssh - OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon...
vendor_debian·2026·CVSS 4.2
CVE-2026-35414 [MEDIUM] CVE-2026-35414: openssh - OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon...
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
VulDB
OpenSSH up to 10.2 Certificate authorized_keys control flow (Nessus ID 304837 / WID-SEC-2026-0979)
vuldb·2026-05-04·CVSS 8.1
CVE-2026-35414 [HIGH] OpenSSH up to 10.2 Certificate authorized_keys control flow (Nessus ID 304837 / WID-SEC-2026-0979)
A vulnerability categorized as problematic has been discovered in OpenSSH up to 10.2. This affects the function authorized_keys of the component Certificate Handler. Such manipulation leads to incorrect control flow.
This vulnerability is referenced as CVE-2026-35414. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
OSV
CVE-2026-35414: (OpenSSH before 10
osv·2026-04-03·CVSS 8.1
CVE-2026-35414 [HIGH] CVE-2026-35414: (OpenSSH before 10
(OpenSSH before 10.3 mishandles the authorized_keys principals option i ...)
OSV
CVE-2026-35414: OpenSSH before 10
osv·2026-04-02·CVSS 8.1
CVE-2026-35414 [HIGH] CVE-2026-35414: OpenSSH before 10
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
GHSA
GHSA-f6c7-fj8h-5898: OpenSSH before 10
ghsa_unreviewed·2026-04-02
CVE-2026-35414 [MEDIUM] CWE-670 GHSA-f6c7-fj8h-5898: OpenSSH before 10
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35414 openssh: OpenSSH: Security bypass via mishandling of authorized_keys principals option [fedora-all]
bugzilla·2026-04-03·CVSS 8.1
CVE-2026-35414 [HIGH] CVE-2026-35414 openssh: OpenSSH: Security bypass via mishandling of authorized_keys principals option [fedora-all]
CVE-2026-35414 openssh: OpenSSH: Security bypass via mishandling of authorized_keys principals option [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-2cedc95af8 (openssh-10.0p1-9.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2cedc95af8
---
FEDORA-2026-93679cc7c2 (openssh-10.2p1-8.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-93679cc7c2
Bugzilla
CVE-2026-35414 OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
bugzilla·2026-04-02·CVSS 8.1
CVE-2026-35414 [HIGH] CVE-2026-35414 OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
CVE-2026-35414 OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Hackernews
⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
blogs_hackernews·2026-05-04·CVSS 9.3
CVE-2026-41940 [CRITICAL] ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
This week, the shadows moved faster than the patches.
While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.
The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.
Here’s the full week
Wiz
CVE-2026-35388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35388 [HIGH] CVE-2026-35388 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35388 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Source : NVD
## 2.5
Score
Published April 2, 2026
Severity LOW
CNA Score 2.5
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh
cpe:2.3:a:openbsd:openssh
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity LOW No Fix Added at: Apr 02, 2026
Red Hat 6, 7, 8, 9, 10 Severity LOW No Fix Added at: Apr 05, 202
Wiz
CVE-2026-3497 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-3497 [MEDIUM] CVE-2026-3497 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3497 :
OpenSSH vulnerability analysis and mitigation
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workar
Wiz
CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35386 [HIGH] CVE-2026-35386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35386 :
OpenSSH vulnerability analysis and mitigation
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Source : NVD
## 3.6
Score
Published April 2, 2026
Severity LOW
CNA Score 3.6
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openbsd:openssh
openssh-clients
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 1
Wiz
CVE-2026-35385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35385 [HIGH] CVE-2026-35385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35385 :
OpenSSH vulnerability analysis and mitigation
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Source : NVD
## 7.5
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh-ldap
openssh-server
Sources
NVD
Debian 11, 14 Severity HIGH No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at:
Wiz
CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35387 [HIGH] CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35387 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
Source : NVD
## 3.1
Score
Published April 2, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openssh-cavs
openssh-keysign
Sources
NVD
Debian 11, 14 Severity LOW No Fix Added at: Apr 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity LOW No Fix
Wiz
CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35414 [HIGH] CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35414 :
OpenSSH vulnerability analysis and mitigation
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Source : NVD
## 5.4
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
OpenSSH
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openbsd:openssh
openssh-cavs
Sources
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Apr 02, 2026
Echo Severity MEDIUM No Fix Added at: Apr 02, 2026
Ho
2026-04-02
Published