VDB
CVE-2026-35414
CVE-2026-35414
PUBLISHED
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios that involve a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. This condition only applies to user-trusted CA keys in authorized_keys, the main certificate authentication path is not affected. It is worth noting that an attack will not leave traces in the logs. Since log-based detection is ineffective here, deploy host-based intrusion detection and file integrity monitoring to catch signs of compromise. OpenSSH has not reported any active exploitation of this vulnerability.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| OpenSSH | OpenSSH before 10.3 |
Timeline
- Apr 2, 2026 CVE Published
- Apr 2, 2026 CVE Updated
- Apr 3, 2026 Security Advisory
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 4, 2026 Distribution Patch
- May 4, 2026 Security Advisory
- May 4, 2026 Distribution Patch
- May 4, 2026 Security Advisory
- May 5, 2026 Distribution Patch
- May 5, 2026 Security Advisory
- May 6, 2026 Distribution Patch
References
- https://ccb.belgium.be/advisories/warning-openssh-root-access-vulnerability-cve-2026-35414-patch-immediately advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-35414 vendor
- https://www.openssh.org/txt/release-10.3 vendor
- https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/ technical