CVE-2026-35414

CWE-670 CWE-1689 documents8 sources

Severity

8.1HIGH

EPSS

0.0%

top 94.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh

Timeline

PublishedApr 2

Latest updateApr 3

Description

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5openbsd/openssh< 10.3

▶NVDopenbsd/openssh< 10.3

🔴Vulnerability Details

OSV

CVE-2026-35414: (OpenSSH before 10↗2026-04-03

▶

CVEList

CVE-2026-35414: OpenSSH before 10↗2026-04-02

▶

OSV

CVE-2026-35414: OpenSSH before 10↗2026-04-02

▶

GHSA

GHSA-f6c7-fj8h-5898: OpenSSH before 10↗2026-04-02

▶

📋Vendor Advisories

Microsoft

CVE-2026-35414: Mariner: Mariner mitre: mitre Customer Action Required: Yes↗2026-04-02

▶

Red Hat

OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option↗2026-04-02

▶

Debian

CVE-2026-35414: openssh - OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35414 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶