Shell Metacharacter Exploit in OpenSSH Enables Command Execution
CVE-2026-35386

3.6LOW

Key Information:

Vendor: OpenBSD
Status: Openssh
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-35386?

Prior to version 10.3, OpenSSH is susceptible to a command execution vulnerability that can be exploited through shell metacharacters present in the username. This exploit arises when an untrusted username is used in a command line context and under specific non-default configurations in ssh_config that allow such manipulation. This poses a significant risk of unauthorized command execution, emphasizing the need for users to update their OpenSSH installations and apply standard security practices.

Affected Version(s)

OpenSSH 0 < 10.3

References

https://www.openssh.org/releasenotes.html#10.3p1

https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2

https://www.openwall.com/lists/oss-security/2026/04/02/3

CVSS V3.1

Score:

3.6

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35386 Data

JSON

OpenBSD

What is CVE-2026-35386?

Affected Version(s)

References

CVSS V3.1

Timeline