Description
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Published: 2026-04-02
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

OpenSSH versions prior to 10.3 incorrectly parse the principals option in authorized_keys when it appears alongside a certificate authority that includes comma characters in its principal list. This parsing error lets an attacker create a key entry that satisfies a different principal than intended, thereby bypassing the configured authorization restrictions and potentially granting unauthorized access to higher privileges.

Affected Systems

The issue impacts OpenBSD OpenSSH deployments running any release before 10.3. Systems that rely on principal restrictions for user identity or certificate-based access may be vulnerable if their authorized_keys entries reference a certificate authority with comma-separated principal entries.

Risk and Exploitability

The CVSS score of 4.2 signifies moderate severity, and the EPSS score of less than 1 % indicates a low likelihood of automated exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. The probable attack vector is inferred: an attacker capable of modifying the authorized_keys file or who can obtain a certificate signed by a CA containing commas in its principal list could exploit the flaw. No public exploit has been documented yet, though the potential for privilege escalation remains for affected deployments.

Generated by OpenCVE AI on April 4, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSSH to release 10.3 or later, which corrects the principals parsing issue.
  • Verify that any authorized_keys entries do not contain principals lists with embedded commas when using a certificate authority.
  • If an immediate update is not possible, consider disabling the principals option or restricting CA usage in authorized_keys until the patch is applied.

Generated by OpenCVE AI on April 4, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title OpenSSH Authorized Keys Principal Parsing Vulnerability with Comma Characters OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
Weaknesses CWE-168
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title OpenSSH Authorized Keys Principal Parsing Vulnerability with Comma Characters

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
First Time appeared Openbsd
Openbsd openssh
Weaknesses CWE-670
CPEs cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openssh
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Openbsd Openssh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T18:17:04.391Z

Reserved: 2026-04-02T17:08:15.208Z

Link: CVE-2026-35414

cve-icon Vulnrichment

Updated: 2026-04-02T17:43:15.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:34.690

Modified: 2026-04-10T19:36:57.163

Link: CVE-2026-35414

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T17:08:15Z

Links: CVE-2026-35414 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:53Z

Weaknesses