Description
A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
Published: 2026-06-23
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local, unprivileged attacker on a Linux client can hijack X11 forwarding connections by pre‑binding the preferred abstract X socket name. The attacker does not need root privileges, and the exploitation can reveal sensitive window contents and typed input. The attack may also permit some manipulation of the forwarded session. This flaw does not require network access; it attacks confidentiality of traffic transmitted over an otherwise encrypted SSH connection.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux releases 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4 via their OpenSSH client implementations. The flaw applies to any system where OpenSSH client X11 forwarding is enabled.

Risk and Exploitability

The CVSS score is 5, indicating medium severity. The EPSS score is unavailable, and the vulnerability is not on the CISA KEV list. Attack requires a local user to have X11 forwarding enabled and to be able to pre‑bind an abstract UNIX‑domain socket. Because the exploit is local and does not require elevated privileges, the attack vector is weaker than remote exploits but still poses a significant risk if X11 forwarding is routinely used.

Generated by OpenCVE AI on June 23, 2026 at 04:20 UTC.

Remediation

Vendor Workaround

To mitigate this issue, disable X11 forwarding on OpenSSH clients when it is not required. This can be achieved by avoiding the use of `-X` or `-Y` options when invoking `ssh`, or by setting `ForwardX11 no` in the SSH client configuration file (`~/.ssh/config` or `/etc/ssh/ssh_config`). Disabling X11 forwarding will prevent the client from attempting to establish X11 connections, thereby removing the attack vector.


OpenCVE Recommended Actions

  • Disable X11 forwarding by removing the use of -X and -Y options when invoking ssh or by setting ForwardX11 no in the ssh client configuration file (~/.ssh/config or /etc/ssh/ssh_config).
  • Check the Red Hat errata page for any update that addresses this SSH pre‑binding flaw and apply the patch when available.
  • Restrict local users from creating abstract sockets in the X11 namespace by configuring appropriate filesystem permissions or by disabling the X11 forwarding feature in system-wide SSH client templates.

Generated by OpenCVE AI on June 23, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
References

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openssh
Openssh openssh
Redhat hardened Images
Redhat openshift Container Platform
Vendors & Products Openssh
Openssh openssh
Redhat hardened Images
Redhat openshift Container Platform

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
Title Openssh: local mitm of x11 forwarding via abstract unix socket pre-binding in red hat enterprise linux openssh client versions
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-923
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N'}


Subscriptions

Openssh Openssh
Redhat Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T13:59:46.603Z

Reserved: 2026-06-16T23:55:05.737Z

Link: CVE-2026-55655

cve-icon Vulnrichment

Updated: 2026-06-23T12:21:44.889Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T23:22:11Z

Links: CVE-2026-55655 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:36Z

Weaknesses
  • CWE-923

    Improper Restriction of Communication Channel to Intended Endpoints