Connection Multiplexing Vulnerability in OpenSSH by OpenSSH
CVE-2026-35388

2.5LOW

Key Information:

Vendor: OpenBSD
Status: Openssh
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-35388?

OpenSSH versions prior to 10.3 exhibit a critical flaw in their connection multiplexing functionality. Specifically, the library fails to confirm the proper setup of proxy-mode multiplexing sessions, which could enable an attacker to exploit the session without detection. This oversight may allow for unauthorized access to sensitive data or facilitate further exploitation of the infrastructure, making it crucial for users to upgrade to the latest version to mitigate potential risks.

Affected Version(s)

OpenSSH 0 < 10.3

References

https://www.openssh.org/releasenotes.html#10.3p1

https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2

https://www.openwall.com/lists/oss-security/2026/04/02/3

CVSS V3.1

Score:

2.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35388 Data

JSON

OpenBSD

What is CVE-2026-35388?

Affected Version(s)

References

CVSS V3.1

Timeline