Description
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Published: 2026-04-02
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary command execution via username shell metacharacters
Action: Patch
AI Analysis

Impact

The vulnerability allows a malicious user to execute arbitrary shell commands when the SSH client supplies an untrusted username that contains shell metacharacters and the server’s ssh_config has the percent character (% ) remapping enabled. OpenSSH processes the username in a way that causes the shell to interpret the metacharacters, leading to command execution. This can compromise system integrity and confidentiality if the attacker can construct a malicious username.

Affected Systems

OpenBSD OpenSSH releases before 10.3 are affected. Any installation of OpenSSH prior to 10.3 that compiles from source or is distributed as a system package is vulnerable. Users running earlier OpenSSH versions cannot safely use untrusted usernames passed via the SSH command line without applying the patch.

Risk and Exploitability

The CVSS score of 3.6 indicates low severity under current scoring, and the EPSS score below 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must supply an untrusted username and have ssh_config configured with a non‑default % mapping, which limits the attack surface. However, if those conditions are met, command execution can be achieved, potentially allowing privilege escalation or data exfiltration.

Generated by OpenCVE AI on April 4, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSH to version 10.3 or later.
  • Ensure that ssh_config’s percent handling remains at its default setting to prevent shell metacharacter expansion.
  • Verify that usernames used on the command line are sanitized or avoid passing untrusted usernames altogether.

Generated by OpenCVE AI on April 4, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
Weaknesses CWE-78
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
First Time appeared Openbsd
Openbsd openssh
Weaknesses CWE-696
CPEs cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openssh
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Openbsd Openssh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T03:55:45.599Z

Reserved: 2026-04-02T16:44:27.451Z

Link: CVE-2026-35386

cve-icon Vulnrichment

Updated: 2026-04-02T17:12:17.154Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:27.623

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35386

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-02T16:44:27Z

Links: CVE-2026-35386 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:58Z

Weaknesses