CVE-2026-35414 is a vulnerability identified in OpenSSH versions prior to 10.3, caused by an always-incorrect control flow implementation (CWE-670) related to the handling of the authorized_keys file's principals option. Specifically, when a principals list is used in conjunction with a Certificate Authority (CA) that utilizes comma characters in certain ways, OpenSSH mishandles the validation logic. This flaw can lead to improper verification of SSH certificate principals, potentially allowing an attacker to bypass intended access controls or impersonate authorized users under specific conditions. The vulnerability requires network access and low privileges but has a high attack complexity, meaning exploitation is non-trivial and likely requires detailed knowledge of the target environment and configuration. The CVSS v3.1 score is 4.2 (medium), reflecting limited confidentiality and integrity impacts without affecting availability. No user interaction is needed, and the scope remains unchanged, affecting only the vulnerable OpenSSH instances. Although no public exploits are known, the flaw poses a risk to environments relying on SSH certificate-based authentication with complex principals configurations. The vulnerability highlights the importance of correct control flow in security-critical code paths, especially in widely used authentication mechanisms like OpenSSH.

The vulnerability could allow attackers to bypass or subvert SSH certificate principal validation, potentially granting unauthorized access or impersonation capabilities. This undermines the confidentiality and integrity of systems relying on OpenSSH for secure remote access, especially in environments using certificate authorities with complex principal lists involving commas. While the attack complexity is high, successful exploitation could lead to unauthorized lateral movement within networks, data exposure, or privilege escalation in sensitive systems. The lack of availability impact means systems remain operational but compromised in trustworthiness. Organizations with extensive SSH deployments, particularly those using certificate-based authentication, face increased risk of unauthorized access if unpatched. The absence of known exploits reduces immediate threat but does not eliminate future risk, necessitating proactive mitigation.

1. Upgrade OpenSSH to version 10.3 or later, where this vulnerability is addressed. 2. Review and simplify authorized_keys principals configurations, avoiding complex comma usage with certificate authorities where possible. 3. Implement strict monitoring and logging of SSH authentication attempts to detect anomalous access patterns potentially exploiting this flaw. 4. Employ multi-factor authentication (MFA) alongside SSH certificates to add an additional security layer. 5. Conduct regular audits of SSH certificate authorities and principals to ensure adherence to best practices and minimize attack surface. 6. Use network segmentation and least privilege principles to limit the impact of any unauthorized access resulting from this vulnerability. 7. Stay informed on OpenSSH security advisories for any emerging exploits or patches related to this issue.