DEBIAN-CVE-2026-35414

DEBIAN-CVE-2026-35414 PUBLISHED CVSS 8.100000381469727 HIGH

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Risk Scores

CVSS 3.1

8.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:12	openssh	0, 1:10.0p1-1, 1:10.0p1-4
Debian:14	openssh	10.3, 0, 1:10.0p1-7
Debian:11	openssh	1:8.7p1-4, 1:8.9p1-2, 1:9.0p1-1
Debian:13	openssh	0, 1:10.0p1-7, 1:10.0p1-8

Exploit Intelligence

CVE-2026-35414 Vuln block (github-poc-repo)
CVE-2026-35414 Vuln block (github-poc)
poc.py (github-poc)
package.py (github-poc)

Timeline

Apr 2, 2026 CVE Published
May 16, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-35414 advisory

Open in Interactive Console →