Description
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Published: 2026-04-02
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Integrity compromise via unconfirmed proxy-mode multiplexing sessions
Action: Update
AI Analysis

Impact

OpenSSH versions prior to 10.3 do not verify the confirmation step when establishing multiplexed proxy-mode sessions. This omission allows an attacker who can initiate a multiplexed connection to the SSH server to create proxy tunnels without the SSH server confirming proper session parameters. The result is a potential degradation of data integrity: traffic routed through these tunnels may be manipulated or replaced. The core weakness is related to missing authentication of multiplexed sessions, classified under CWE-306 (Missing Authentication for Critical Function) and CWE-420 (Untrusted Control of Resource).

Affected Systems

Affected systems are OpenBSD OpenSSH installations running any build before version 10.3p1. No further sub‑version information is supplied, so any release older than 10.3p1 can be impacted.

Risk and Exploitability

The CVSS score of 2.5 signals a low severity issue. Exploitation requires an attacker who can reach the SSH port and issue a multiplexed connection request. The EPSS score is below 1%, indicating a very small likelihood of real‑world exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack path does not provide remote code execution or denial of service; it mainly affords integrity degradation through unverified proxy tunnels.

Generated by OpenCVE AI on April 4, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenSSH update (10.3p1 or later).
  • If an immediate update is not possible, disable connection multiplexing on the server (e.g., set ControlMaster=none).
  • Monitor SSH logs for unexpected proxy-mode multiplexing sessions.

Generated by OpenCVE AI on April 4, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title OpenSSH Multiplexing Confirmation Omission in Proxy Mode OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
Weaknesses CWE-306
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title OpenSSH Multiplexing Confirmation Omission in Proxy Mode

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
First Time appeared Openbsd
Openbsd openssh
Weaknesses CWE-420
CPEs cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openssh
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Openbsd Openssh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T18:16:41.820Z

Reserved: 2026-04-02T16:57:30.433Z

Link: CVE-2026-35388

cve-icon Vulnrichment

Updated: 2026-04-02T17:46:32.744Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:27.947

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35388

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-02T16:57:31Z

Links: CVE-2026-35388 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:55Z

Weaknesses