Description
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Setuid/Setgid Assignment via scp
Action: Immediate Patch
AI Analysis

Impact

OpenSSH versions prior to 10.3 allow a file transferred with scp to be installed with setuid or setgid bits when the command is executed as root using the legacy scp protocol flag -O and without the -p option to preserve mode. This unintended privilege assignment can cause the file to run with elevated permissions or under an unintended user identity, potentially enabling malicious code execution with higher authority than intended. The weakness is rooted in an improper handling of privilege settings during file transfer (CWE-281).

Affected Systems

All installations of OpenBSD OpenSSH released before version 10.3 are affected. The issue occurs when the OpenSSH client or server is invoked by a root user who utilizes scp with the -O flag and omits -p, leading to files that are set to run with setuid or setgid permissions on the destination host.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. An attacker who can perform scp operations as root—and has the ability to choose the -O flag and omit -p—can transfer a crafted file that will be installed with elevated privileges, enabling local privilege escalation or the execution of code with unintended authority. The likely attack vector is inferred to be a root-initiated scp transfer employing the described flags.

Generated by OpenCVE AI on April 2, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSH to version 10.3 or later
  • Avoid running scp as root with the -O flag unless absolutely necessary
  • Use the -p option to preserve file mode when file execution privileges are critical
  • Verify that received files do not have unexpected setuid or setgid bits
  • Restrict scp usage for privileged users to reduce exposure

Generated by OpenCVE AI on April 2, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Setuid/Setgid Elevation via scp in OpenSSH <10.3 OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Setuid/Setgid Elevation via scp in OpenSSH <10.3

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
First Time appeared Openbsd
Openbsd openssh
Weaknesses CWE-281
CPEs cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openssh
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Openbsd Openssh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T03:55:44.273Z

Reserved: 2026-04-02T16:30:59.107Z

Link: CVE-2026-35385

cve-icon Vulnrichment

Updated: 2026-04-02T17:06:11.715Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:27.450

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35385

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T16:30:59Z

Links: CVE-2026-35385 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:32Z

Weaknesses