Cyber Resilience

CVE-2026-35414

Medium

Published: 02 April 2026

Published
02 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0018 7.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35414 is a medium-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Openbsd Openssh. Its CVSS base score is 4.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-35414 affects OpenSSH versions before 10.3, where the software mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. This vulnerability is classified under CWE-670 and carries a CVSS v3.1 base score of 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N), indicating a low-severity issue with network accessibility but high attack complexity.

Exploitation requires low privileges (PR:L) and can be performed over the network (AV:N) without user interaction (UI:N), though the high attack complexity (AC:H) limits practicality. Successful attacks result in low impacts to confidentiality and integrity (C:L/I:L), with no availability disruption (A:N) and unchanged scope (S:U).

Mitigation is addressed in OpenSSH 10.3, as detailed in the project's release notes at https://www.openssh.org/releasenotes.html#10.3p1. Further technical discussion appears in developer mailing lists, including https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 and https://www.openwall.com/lists/oss-security/2026/04/02/3, recommending upgrades to patched versions.

EU & UK References

Vulnerability details

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is in OpenSSH (a commonly exposed remote access service) and is exploitable over the network (AV:N), enabling initial access via exploitation of a public-facing application despite high complexity and low impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35386Same product: Openbsd Openssh
CVE-2026-35385Same product: Openbsd Openssh
CVE-2026-48844Shared CWE-670
CVE-2026-33011Shared CWE-670
CVE-2025-43359Shared CWE-670
CVE-2026-26267Shared CWE-670
CVE-2025-58136Shared CWE-670
CVE-2026-38361Shared CWE-670
CVE-2026-34946Shared CWE-670
CVE-2025-26466Same product: Openbsd Openssh

Affected Assets

openbsd
openssh
≤ 10.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the OpenSSH principals parsing vulnerability via patching to version 10.3 or later.

detect

Enables vulnerability scanning to identify systems running vulnerable OpenSSH versions affected by CVE-2026-35414.

prevent

Mandates secure configuration settings for OpenSSH to minimize exposure to uncommon authorized_keys principals scenarios involving commas.

References