OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
A vulnerability in OpenSSH, tracked as CVE-2026-35414, existed for 15 years and allowed full root shell access due to a code reuse issue. The flaw involved mishandling of comma characters in SSH certificate principals, which were incorrectly interpreted as list separators. This parsing error enabled an attacker with a valid certificate from a trusted CA to bypass access controls and authenticate as root. Exploitation does not generate authentication failures in logs, making detection via log analysis unreliable. The vulnerability was fixed in OpenSSH version 10. 3 released in early April 2026. Organizations using affected versions are advised to update promptly to mitigate risk.
AI Analysis
Technical Summary
CVE-2026-35414 is a vulnerability in OpenSSH affecting versions released over the past 15 years. It arises from a code reuse error where comma characters in SSH certificate principals are treated as list separators during authentication. This causes the server to incorrectly grant root access if a principal contains a comma-separated value like 'deploy,root'. The flaw allows an attacker possessing a valid certificate from a trusted certificate authority to bypass access controls and gain full root shell access. The authentication bypass does not trigger log-based detection mechanisms, complicating incident identification. The issue was resolved in OpenSSH 10.3 in early April 2026.
Potential Impact
Successful exploitation grants an attacker full root shell access on vulnerable OpenSSH servers, potentially compromising all servers within an organization using affected versions. The bypass of authentication controls occurs without generating authentication failure logs, reducing the likelihood of detection through standard log monitoring. This elevates the risk of undetected privilege escalation and system compromise.
Mitigation Recommendations
A fix for this vulnerability is available in OpenSSH version 10.3 released in early April 2026. Organizations should audit their environments to identify affected OpenSSH versions and update to version 10.3 or later as soon as possible. No alternative mitigations are indicated. Patch status is confirmed by the vendor advisory.
OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
Description
A vulnerability in OpenSSH, tracked as CVE-2026-35414, existed for 15 years and allowed full root shell access due to a code reuse issue. The flaw involved mishandling of comma characters in SSH certificate principals, which were incorrectly interpreted as list separators. This parsing error enabled an attacker with a valid certificate from a trusted CA to bypass access controls and authenticate as root. Exploitation does not generate authentication failures in logs, making detection via log analysis unreliable. The vulnerability was fixed in OpenSSH version 10. 3 released in early April 2026. Organizations using affected versions are advised to update promptly to mitigate risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35414 is a vulnerability in OpenSSH affecting versions released over the past 15 years. It arises from a code reuse error where comma characters in SSH certificate principals are treated as list separators during authentication. This causes the server to incorrectly grant root access if a principal contains a comma-separated value like 'deploy,root'. The flaw allows an attacker possessing a valid certificate from a trusted certificate authority to bypass access controls and gain full root shell access. The authentication bypass does not trigger log-based detection mechanisms, complicating incident identification. The issue was resolved in OpenSSH 10.3 in early April 2026.
Potential Impact
Successful exploitation grants an attacker full root shell access on vulnerable OpenSSH servers, potentially compromising all servers within an organization using affected versions. The bypass of authentication controls occurs without generating authentication failure logs, reducing the likelihood of detection through standard log monitoring. This elevates the risk of undetected privilege escalation and system compromise.
Mitigation Recommendations
A fix for this vulnerability is available in OpenSSH version 10.3 released in early April 2026. Organizations should audit their environments to identify affected OpenSSH versions and update to version 10.3 or later as soon as possible. No alternative mitigations are indicated. Patch status is confirmed by the vendor advisory.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/","fetched":true,"fetchedAt":"2026-04-27T12:30:05.158Z","wordCount":1034}
Threat ID: 69ef56cdba26a39fba231582
Added to database: 4/27/2026, 12:30:05 PM
Last enriched: 4/27/2026, 12:30:13 PM
Last updated: 4/28/2026, 1:44:50 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.