Authentication Delay Bypass in OpenSSH by OpenSSH
CVE-2026-60001

6.5MEDIUM

Key Information:

Vendor

OpenBSD

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-60001?

OpenSSH versions prior to 10.4 have a vulnerability in the sshd component that does not consistently enforce the minimum authentication delay intended to mitigate brute-force attacks. This oversight could allow an attacker to exploit the timing of authentication attempts, potentially facilitating unauthorized access and compromising the integrity of the system. Upgrading to the latest version is highly recommended to ensure robust security practices.

Affected Version(s)

OpenSSH 0 < 10.4

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.