{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-35414", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-02T17:08:15.208Z", "datePublished": "2026-04-02T17:08:15.628Z", "dateUpdated": "2026-04-02T18:17:04.391Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSH", "vendor": "OpenBSD", "versions": [{"lessThan": "10.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:17:04.391Z"}, "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:42:45.278974Z", "id": "CVE-2026-35414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:43:24.725Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:42:45.278974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:43:15.738Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenBSD", "product": "OpenSSH", "versions": [{"status": "affected", "version": "0", "lessThan": "10.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:17:04.391Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35414", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:17:04.391Z", "dateReserved": "2026-04-02T17:08:15.208Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T17:08:15.628Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "F40F50BC-86AA-4D7F-88A5-A244CD7606F3", "versionEndExcluding": "10.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters."}], "id": "CVE-2026-35414", "lastModified": "2026-04-10T19:36:57.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T18:16:34.690", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option", "id": "2454490", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454490"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-168", "details": ["OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorized_keys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This could lead to security bypasses, potentially allowing unintended access or information disclosure in specific authentication contexts."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-35414", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-02T17:08:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35414\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35414\nhttps://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2\nhttps://www.openssh.org/releasenotes.html#10.3p1\nhttps://www.openwall.com/lists/oss-security/2026/04/02/3"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSSH", "source": "cna", "vendor": "OpenBSD"}, "product": "openssh", "vendor": "openbsd"}], "analysis": {"en": {"generated_at": "2026-04-04T04:23:25.318412+00:00", "value": {"mitigation_remediation": ["Update OpenSSH to release 10.3 or later, which corrects the principals parsing issue.", "Verify that any authorized_keys entries do not contain principals lists with embedded commas when using a certificate authority.", "If an immediate update is not possible, consider disabling the principals option or restricting CA usage in authorized_keys until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue impacts OpenBSD OpenSSH deployments running any release before 10.3. Systems that rely on principal restrictions for user identity or certificate-based access may be vulnerable if their authorized_keys entries reference a certificate authority with comma-separated principal entries.", "description_and_impact": "OpenSSH versions prior to 10.3 incorrectly parse the principals option in authorized_keys when it appears alongside a certificate authority that includes comma characters in its principal list. This parsing error lets an attacker create a key entry that satisfies a different principal than intended, thereby bypassing the configured authorization restrictions and potentially granting unauthorized access to higher privileges.", "risk_and_exploitability": "The CVSS score of 4.2 signifies moderate severity, and the EPSS score of less than 1\u202f% indicates a low likelihood of automated exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. The probable attack vector is inferred: an attacker capable of modifying the authorized_keys file or who can obtain a certificate signed by a CA containing commas in its principal list could exploit the flaw. No public exploit has been documented yet, though the potential for privilege escalation remains for affected deployments."}}}}, "created": "2026-04-03T07:32:25.249162+00:00", "updated": "2026-04-07T07:55:53.264376+00:00", "vendors": ["openbsd", "openbsd$PRODUCT$openssh"]}