CVE-2026-35386

Low

Published: 02 April 2026

Published

02 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 3.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.0003 9.6th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35386 is a low-severity Incorrect Behavior Order (CWE-696) vulnerability in Openbsd Openssh. Its CVSS base score is 3.6 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading OpenSSH to version 10.3 or later where the flaw is patched.

CM-6 Configuration Settings good match

prevent

Prevents exploitation by establishing and monitoring secure configuration settings in ssh_config to avoid the non-default % directive required for the attack.

SI-10 Information Input Validation partial match

prevent

Addresses the untrusted username input by validating and sanitizing shell metacharacters before they are passed on the ssh command line.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables local arbitrary command execution via shell metacharacters in username input to OpenSSH client under specific non-default config, mapping to client-side exploitation (T1203) and Unix shell interpreter usage (T1059.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in…

ssh_config.

Deeper analysisAI

CVE-2026-35386 affects OpenSSH versions prior to 10.3 and involves a vulnerability where command execution can occur via shell metacharacters embedded in a username passed on the command line. This issue arises in scenarios where the username is untrusted and requires a non-default configuration involving the % directive in ssh_config. Classified under CWE-696 (Incorrect Behavior Order: Ascending or Descending), it carries a CVSS v3.1 base score of 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N), indicating low severity with limited impact on confidentiality and integrity but no availability disruption.

Exploitation requires local access (AV:L) by an attacker with low privileges (PR:L), along with high attack complexity (AC:H) due to the specific prerequisites: an untrusted username on the ssh command line and the rare non-default % configuration in ssh_config. A successful attack allows the attacker to execute arbitrary commands through shell metacharacters in the username, potentially leading to limited unauthorized access or modification (low C/I impact), though the unchanged scope (S:U) confines effects to the local system.

OpenSSH release notes for version 10.3p1 document the fix for this issue, recommending an upgrade to mitigate the vulnerability. Announcements on mailing lists such as openssh-unix-dev and oss-security confirm the patch availability and detail the configuration-dependent nature of the flaw.