Vulnerability DatabaseCVE-2026-35414
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-35414
Published:April 02, 2026
Updated:April 20, 2026
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Affected Packages
https://github.com/openssh/openssh-portable.git (GITHUB):
Affected version(s) >=V_1_2_PRE3 <V_10_3_P1
Fix Suggestion:
Update to version V_10_3_P1
Related Resources (3)
https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2
https://www.openssh.org/releasenotes.html#10.3p1
https://www.openwall.com/lists/oss-security/2026/04/02/3
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Always-Incorrect Control Flow Implementation
CWE-670
EPSS
Base Score:
0.02