PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35386 OpenBSD CVE debrief

A low-severity vulnerability was found in OpenSSH before 10.3, allowing command execution via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted and a non-default configuration of % in ssh_config. The vulnerability has a CVSS score of 3.6, indicating low severity. System administrators and security teams should be aware of this vulnerability, especially those with untrusted user access, and take steps to mitigate it.

Vendor
OpenBSD
Product
OpenSSH
CVSS
LOW 3.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-07-07
Advisory published
2026-04-02
Advisory updated
2026-07-07

Who should care

System administrators and security teams responsible for OpenSSH installations, especially those with untrusted user access, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing system configurations, updating to version 10.3 or later, and monitoring for suspicious activity.

Technical summary

The vulnerability exists in OpenSSH before version 10.3, where command execution can occur via shell metacharacters in a username within a command line. This requires a specific scenario where the username on the command line is untrusted and a non-default configuration of % in ssh_config is present. The CVSS score for this vulnerability is 3.6, indicating a low severity. Affected systems include OpenSSH installations prior to version 10.3 with untrusted user access.

Defensive priority

Apply patches or upgrades to OpenSSH version 10.3 or later. Restrict access to trusted users and monitor for suspicious activity. Review and update ssh_config to ensure default or secure configurations.

Recommended defensive actions

  • Apply patches or upgrades to OpenSSH version 10.3 or later
  • Restrict access to trusted users
  • Monitor for suspicious activity
  • Review and update ssh_config to ensure default or secure configurations
  • Perform vulnerability scanning to identify exposed systems
  • Implement compensating controls for exposed systems
  • Review asset inventory for OpenSSH installations

Evidence notes

The CVE record was published on 2026-04-02T17:16:27.623Z and last modified on 2026-07-07T15:55:29.950Z. The NVD entry is currently Analyzed. This vulnerability affects OpenSSH installations prior to version 10.3, particularly in scenarios with untrusted user access and non-default configurations. Evidence is based on CVE and NVD details, with limitations on source information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-02T17:16:27.623Z and has not been modified since then. The NVD entry is currently Analyzed.