OpenSSH variations launched over the previous 15 years are affected by a vulnerability resulting in full root shell entry, and assaults can’t be noticed by way of log-based detection, information security agency Cyera says.
Tracked as CVE-2026-35414 (CVSS rating of 8.1), the flaw is described as a mishandling of the authorized_keys principals possibility in sure eventualities involving certificates authorities (CA) that use comma characters.
In accordance with Cyera, due to the bug, a comma in an SSH certificates principal identify results in OpenSSH entry management bypass, permitting customers to authenticate as root on a weak server, so long as they’ve a sound certificates from a trusted CA.
“The flaw resides in a code reuse error that by chance allowed a easy comma in a certificates principal to be interpreted as an inventory separator by the parser, turning a low-privilege id right into a root credential,” Cyera informed information.killnetswitch.
“The server considers the authentication legit, that means this assault doesn’t register an authentication failure in logs, making log-based detection extremely unreliable,” it added.
CVE-2026-35414, the cybersecurity agency explains, includes the principals checklist, which incorporates the usernames {that a} certificates holder could authenticate as, and the authorized_keys principals, which include the keys the servers use to belief certificates.
The difficulty is {that a} operate that handles cipher and key-exchange checklist negotiation compares comma-separated lists of ciphers throughout key change, splits on the comma, and permits authentication if both fragment matches the principal’s worth.
Due to the bug, if a certificates comprises the principal deploy,root, OpenSSH splits the comma and permits full root entry.
A second operate that additionally checks authorization treats the identical principal as a single string and denies entry. Nevertheless, if the string matches, the choices that run subsequent lead to principal validation being skipped totally.
“We wrote a check certificates with a literal comma within the principal discipline, pointed it at a check server, and bought root. The entire thing took about twenty minutes from ‘that appears mistaken’ to a working exploit,” Cyera says.
Profitable exploitation of the vulnerability might present an attacker with root entry to all of the servers a company has, if the weak protocol runs on them, the corporate says.
CVE-2026-35414 was resolved in early April in OpenSSH model 10.3. Organizations are suggested to audit their environments and replace to a patched model as quickly as doable.
