OpenSSH Vulnerability in Authorized Keys Handling by OpenSSH
CVE-2026-35414

4.2MEDIUM

Key Information:

Vendor: OpenBSD
Status: Openssh
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-35414?

OpenSSH versions prior to 10.3 exhibit a vulnerability related to the handling of the authorized_keys principals option. In particular, this issue arises in scenarios where a principals list is involved along with the use of a Certificate Authority that incorrectly utilizes comma characters. This improper handling can lead to unintended access control and potential security breaches if exploited.

Affected Version(s)

OpenSSH 0 < 10.3

References

https://www.openssh.org/releasenotes.html#10.3p1

https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2

https://www.openwall.com/lists/oss-security/2026/04/02/3

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35414 Data

JSON

OpenBSD

What is CVE-2026-35414?

Affected Version(s)

References

CVSS V3.1

Timeline