Cyber Posture

CVE-2026-35414

Medium

Published: 02 April 2026

Published
02 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0002 6.5th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35414 is a medium-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Openbsd Openssh. Its CVSS base score is 4.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of flaws like the OpenSSH principals parsing vulnerability via patching to version 10.3 or later.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables vulnerability scanning to identify systems running vulnerable OpenSSH versions affected by CVE-2026-35414.

CM-6 Configuration Settings partial match
prevent

Mandates secure configuration settings for OpenSSH to minimize exposure to uncommon authorized_keys principals scenarios involving commas.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is in OpenSSH (a commonly exposed remote access service) and is exploitable over the network (AV:N), enabling initial access via exploitation of a public-facing application despite high complexity and low impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Deeper analysisAI

CVE-2026-35414 affects OpenSSH versions before 10.3, where the software mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. This vulnerability is classified under CWE-670 and carries a CVSS v3.1 base score of 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N), indicating a low-severity issue with network accessibility but high attack complexity.

Exploitation requires low privileges (PR:L) and can be performed over the network (AV:N) without user interaction (UI:N), though the high attack complexity (AC:H) limits practicality. Successful attacks result in low impacts to confidentiality and integrity (C:L/I:L), with no availability disruption (A:N) and unchanged scope (S:U).

Mitigation is addressed in OpenSSH 10.3, as detailed in the project's release notes at https://www.openssh.org/releasenotes.html#10.3p1. Further technical discussion appears in developer mailing lists, including https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 and https://www.openwall.com/lists/oss-security/2026/04/02/3, recommending upgrades to patched versions.

Details

CWE(s)
CWE-670

Affected Products

openbsd
openssh
≤ 10.3

CVEs Like This One

CVE-2026-35385Same product: Openbsd Openssh
CVE-2026-35386Same product: Openbsd Openssh
CVE-2025-43359Shared CWE-670
CVE-2026-33011Shared CWE-670
CVE-2026-26267Shared CWE-670
CVE-2025-58136Shared CWE-670
CVE-2026-34946Shared CWE-670
CVE-2025-26466Same product: Openbsd Openssh
CVE-2025-21607Shared CWE-670
CVE-2026-40960Shared CWE-670

References