Security Weakness in OpenSSH's sshd Server Configuration
CVE-2026-59999

5.9MEDIUM

Key Information:

Vendor

OpenBSD

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59999?

A configuration issue exists in the sshd component of OpenSSH versions prior to 10.4, where the setting of 'DisableForwarding=yes' does not properly take precedence over 'PermitTunnel=yes'. This flaw can lead to unexpected behavior in SSH tunneling configurations, potentially allowing unauthorized port forwarding when it should be disabled. Users are advised to review their sshd configuration settings to ensure intended security policies are enforced.

Affected Version(s)

OpenSSH 0 < 10.4

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.