Description
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Published: 2026-04-02
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution via Untrusted Username
Action: Patch Now
AI Analysis

Impact

In OpenSSH versions prior to 10.3, a flaw allows shell metacharacters included in a user name supplied on the command line to be interpreted as executable commands. This vulnerability permits an attacker to run arbitrary system commands during an SSH session, effectively compromising the host’s confidentiality, integrity, and availability. The weakness aligns with CWE‑696, indicating improper handling of user-supplied input leading to command injection.

Affected Systems

The vulnerability affects the OpenBSD OpenSSH implementation, specifically all releases before 10.3. Users who run pre‑10.3 binaries and provide untrusted user names in command‑line contexts with non‑default settings in ssh_config are at risk.

Risk and Exploitability

The CVSS score of 3.6 signals a low severity level, but the necessity for an untrusted username and altered % settings in ssh_config makes exploitation less likely. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote via SSH, though the requirement for non‑default configuration suggests that real‑world exploitation would be constrained unless administrators have permissive settings.

Generated by OpenCVE AI on April 2, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSSH to version 10.3p1 or newer.
  • Ensure that the '%' character in ssh_config remains at its default value and that no untrusted usernames are passed as command‑line arguments.
  • Review SSH configuration files for custom settings that allow untrusted input in command contexts and remove or restrict them.
  • Monitor SSH logs for unusual command execution patterns and investigate any anomalies.

Generated by OpenCVE AI on April 2, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
Weaknesses CWE-78
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
First Time appeared Openbsd
Openbsd openssh
Weaknesses CWE-696
CPEs cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openssh
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Openbsd Openssh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T03:55:45.599Z

Reserved: 2026-04-02T16:44:27.451Z

Link: CVE-2026-35386

cve-icon Vulnrichment

Updated: 2026-04-02T17:12:17.154Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:27.623

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35386

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-02T16:44:27Z

Links: CVE-2026-35386 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:26Z

Weaknesses