CVE-2026-35386: CWE-696 Incorrect Behavior Order in OpenBSD OpenSSH
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
AI Analysis
Technical Summary
CVE-2026-35386 is a security vulnerability identified in OpenSSH versions prior to 10.3, categorized under CWE-696 (Incorrect Behavior Order). The flaw stems from improper handling of shell metacharacters embedded within usernames when these usernames are passed on the command line. Specifically, if an untrusted username containing shell metacharacters is used in conjunction with a non-default ssh_config setting involving the '%' character, it can lead to unintended command execution. This vulnerability requires a scenario where the username is not sanitized and is supplied in a context that allows shell interpretation, which is uncommon in default configurations. The attack vector is local (AV:L), with high attack complexity (AC:H), requiring low privileges (PR:L) but no user interaction (UI:N). The vulnerability impacts confidentiality and integrity by potentially allowing unauthorized command execution, but it does not affect availability. No known exploits have been reported in the wild, and no patches have been linked yet. The issue highlights the risks of non-default ssh_config customizations and the importance of input validation for usernames in command-line contexts.
Potential Impact
The potential impact of CVE-2026-35386 is limited but significant in specific environments. Successful exploitation could allow an attacker with low privileges to execute arbitrary commands by injecting shell metacharacters through a crafted username, potentially leading to unauthorized information disclosure or modification. However, the vulnerability requires non-default ssh_config settings and untrusted username input, which reduces the attack surface. Organizations that rely on automated systems, scripts, or multi-tenant environments where usernames might be externally controlled or dynamically generated are at higher risk. The impact on confidentiality and integrity could lead to data leaks or unauthorized changes, but availability remains unaffected. Given the low CVSS score and high attack complexity, widespread exploitation is unlikely, but targeted attacks in sensitive environments could be damaging.
Mitigation Recommendations
To mitigate CVE-2026-35386, organizations should: 1) Avoid using untrusted or externally supplied usernames in command-line contexts, especially when ssh_config uses non-default '%' expansions. 2) Review and revert any custom ssh_config settings involving '%' that are not strictly necessary. 3) Implement strict input validation and sanitization for usernames to prevent shell metacharacter injection. 4) Monitor OpenSSH releases and apply patches promptly once available. 5) Employ least privilege principles to limit the impact of potential exploitation. 6) Use alternative authentication mechanisms or configurations that do not rely on potentially unsafe username expansions. 7) Conduct security audits focusing on ssh_config customizations and username handling in automated scripts or systems.
Affected Countries
United States, United Kingdom, Germany, France, Japan, South Korea, India, Australia, Canada, Netherlands
CVE-2026-35386: CWE-696 Incorrect Behavior Order in OpenBSD OpenSSH
Description
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35386 is a security vulnerability identified in OpenSSH versions prior to 10.3, categorized under CWE-696 (Incorrect Behavior Order). The flaw stems from improper handling of shell metacharacters embedded within usernames when these usernames are passed on the command line. Specifically, if an untrusted username containing shell metacharacters is used in conjunction with a non-default ssh_config setting involving the '%' character, it can lead to unintended command execution. This vulnerability requires a scenario where the username is not sanitized and is supplied in a context that allows shell interpretation, which is uncommon in default configurations. The attack vector is local (AV:L), with high attack complexity (AC:H), requiring low privileges (PR:L) but no user interaction (UI:N). The vulnerability impacts confidentiality and integrity by potentially allowing unauthorized command execution, but it does not affect availability. No known exploits have been reported in the wild, and no patches have been linked yet. The issue highlights the risks of non-default ssh_config customizations and the importance of input validation for usernames in command-line contexts.
Potential Impact
The potential impact of CVE-2026-35386 is limited but significant in specific environments. Successful exploitation could allow an attacker with low privileges to execute arbitrary commands by injecting shell metacharacters through a crafted username, potentially leading to unauthorized information disclosure or modification. However, the vulnerability requires non-default ssh_config settings and untrusted username input, which reduces the attack surface. Organizations that rely on automated systems, scripts, or multi-tenant environments where usernames might be externally controlled or dynamically generated are at higher risk. The impact on confidentiality and integrity could lead to data leaks or unauthorized changes, but availability remains unaffected. Given the low CVSS score and high attack complexity, widespread exploitation is unlikely, but targeted attacks in sensitive environments could be damaging.
Mitigation Recommendations
To mitigate CVE-2026-35386, organizations should: 1) Avoid using untrusted or externally supplied usernames in command-line contexts, especially when ssh_config uses non-default '%' expansions. 2) Review and revert any custom ssh_config settings involving '%' that are not strictly necessary. 3) Implement strict input validation and sanitization for usernames to prevent shell metacharacter injection. 4) Monitor OpenSSH releases and apply patches promptly once available. 5) Employ least privilege principles to limit the impact of potential exploitation. 6) Use alternative authentication mechanisms or configurations that do not rely on potentially unsafe username expansions. 7) Conduct security audits focusing on ssh_config customizations and username handling in automated scripts or systems.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-02T16:44:27.451Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cea282e6bfc5ba1ded3a57
Added to database: 4/2/2026, 5:08:18 PM
Last enriched: 4/2/2026, 5:24:13 PM
Last updated: 4/2/2026, 7:30:37 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.