Description
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Published: 2026-04-02
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized SSH access via principal misinterpretation
Action: Patch
AI Analysis

Impact

OpenSSH versions prior to 10.3 mishandle the authorized_keys principals option when a principals list is combined with a Certificate Authority that includes comma characters. The server mistakenly accepts the key, treating the comma as a separator and allowing authentication with principals that should be disallowed. This flaw enables an attacker who supplies a credential that meets the misparsed principal criteria to obtain SSH access to the system.

Affected Systems

The vulnerability affects OpenBSD OpenSSH installations running any release before version 10.3. All earlier releases—from the initial OpenSSH launch through 10.2—are impacted.

Risk and Exploitability

The CVSS score of 4.2 reflects a moderate severity. Exploitation requires the attacker to possess a valid SSH key with a principals list containing comma characters and to trust a Certificate Authority that uses commas in its configuration. The attack vector is inferred from the description, not explicitly documented elsewhere. EPSS data is unavailable, and the flaw is not listed in CISA’s KEV catalog, suggesting limited breadth of public exploitation. Nonetheless, once exploited, the attacker gains unauthorized SSH access to the host.

Generated by OpenCVE AI on April 2, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSH to version 10.3p1 or later

Generated by OpenCVE AI on April 2, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title OpenSSH Authorized Keys Principal Parsing Vulnerability with Comma Characters

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
First Time appeared Openbsd
Openbsd openssh
Weaknesses CWE-670
CPEs cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openssh
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Openbsd Openssh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T18:17:04.391Z

Reserved: 2026-04-02T17:08:15.208Z

Link: CVE-2026-35414

cve-icon Vulnrichment

Updated: 2026-04-02T17:43:15.738Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:34.690

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:13Z

Weaknesses