{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-35414", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-02T17:08:15.208Z", "datePublished": "2026-04-02T17:08:15.628Z", "dateUpdated": "2026-04-02T18:17:04.391Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSH", "vendor": "OpenBSD", "versions": [{"lessThan": "10.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:17:04.391Z"}, "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:42:45.278974Z", "id": "CVE-2026-35414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:43:24.725Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:42:45.278974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:43:15.738Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenBSD", "product": "OpenSSH", "versions": [{"status": "affected", "version": "0", "lessThan": "10.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:43:54.777Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35414", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:43:54.777Z", "dateReserved": "2026-04-02T17:08:15.208Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T17:08:15.628Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters."}], "id": "CVE-2026-35414", "lastModified": "2026-04-02T18:16:34.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-02T18:16:34.690", "references": [{"source": "cve@mitre.org", "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"source": "cve@mitre.org", "url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSSH", "source": "cna", "vendor": "OpenBSD"}, "product": "openssh", "vendor": "openbsd"}], "analysis": {"en": {"generated_at": "2026-04-02T23:15:32.269085+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSSH to version 10.3p1 or later"], "summary": {"action": "Patch", "impact": "Unauthorized SSH access via principal misinterpretation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OpenBSD OpenSSH installations running any release before version 10.3. All earlier releases\u2014from the initial OpenSSH launch through 10.2\u2014are impacted.", "description_and_impact": "OpenSSH versions prior to 10.3 mishandle the authorized_keys principals option when a principals list is combined with a Certificate Authority that includes comma characters. The server mistakenly accepts the key, treating the comma as a separator and allowing authentication with principals that should be disallowed. This flaw enables an attacker who supplies a credential that meets the misparsed principal criteria to obtain SSH access to the system.", "risk_and_exploitability": "The CVSS score of 4.2 reflects a moderate severity. Exploitation requires the attacker to possess a valid SSH key with a principals list containing comma characters and to trust a Certificate Authority that uses commas in its configuration. The attack vector is inferred from the description, not explicitly documented elsewhere. EPSS data is unavailable, and the flaw is not listed in CISA\u2019s KEV catalog, suggesting limited breadth of public exploitation. Nonetheless, once exploited, the attacker gains unauthorized SSH access to the host."}}}}, "created": "2026-04-03T07:32:25.249162+00:00", "title": "OpenSSH Authorized Keys Principal Parsing Vulnerability with Comma Characters", "updated": "2026-04-03T09:18:13.487078+00:00", "vendors": ["openbsd", "openbsd$PRODUCT$openssh"]}