PatchSiren cyber security CVE debrief
CVE-2026-35386 OpenBSD CVE debrief
A low-severity vulnerability was found in OpenSSH before 10.3, allowing command execution via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted and a non-default configuration of % in ssh_config. The vulnerability has a CVSS score of 3.6, indicating low severity. System administrators and security teams should be aware of this vulnerability, especially those with untrusted user access, and take steps to mitigate it.
- Vendor
- OpenBSD
- Product
- OpenSSH
- CVSS
- LOW 3.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-02
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-04-02
- Advisory updated
- 2026-07-07
Who should care
System administrators and security teams responsible for OpenSSH installations, especially those with untrusted user access, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing system configurations, updating to version 10.3 or later, and monitoring for suspicious activity.
Technical summary
The vulnerability exists in OpenSSH before version 10.3, where command execution can occur via shell metacharacters in a username within a command line. This requires a specific scenario where the username on the command line is untrusted and a non-default configuration of % in ssh_config is present. The CVSS score for this vulnerability is 3.6, indicating a low severity. Affected systems include OpenSSH installations prior to version 10.3 with untrusted user access.
Defensive priority
Apply patches or upgrades to OpenSSH version 10.3 or later. Restrict access to trusted users and monitor for suspicious activity. Review and update ssh_config to ensure default or secure configurations.
Recommended defensive actions
- Apply patches or upgrades to OpenSSH version 10.3 or later
- Restrict access to trusted users
- Monitor for suspicious activity
- Review and update ssh_config to ensure default or secure configurations
- Perform vulnerability scanning to identify exposed systems
- Implement compensating controls for exposed systems
- Review asset inventory for OpenSSH installations
Evidence notes
The CVE record was published on 2026-04-02T17:16:27.623Z and last modified on 2026-07-07T15:55:29.950Z. The NVD entry is currently Analyzed. This vulnerability affects OpenSSH installations prior to version 10.3, particularly in scenarios with untrusted user access and non-default configurations. Evidence is based on CVE and NVD details, with limitations on source information.
Official resources
-
CVE-2026-35386 CVE record
CVE.org
-
CVE-2026-35386 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-02T17:16:27.623Z and has not been modified since then. The NVD entry is currently Analyzed.