CVE-2026-35414

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.3

Description OpenSSH mishandles the authorized keys principals option in scenarios involving a principals list and a Certificate Authority (CA) that uses comma characters. A parsing error occurs where a comma in an SSH certificate principal name is incorrectly interpreted as a list separator rather than part of a string. This allows a user with a valid certificate from a trusted CA to bypass access controls and authenticate as root, effectively escalating low-privilege credentials to root access. The issue is caused by a code reuse error where the function handling the matching of cipher and key lists splits strings by commas and grants authentication if any fragment matches a subject value. Because the server perceives the authentication as legitimate, the attack does not trigger authentication failures in logs, making detection unreliable.

Recommendations Update to version 10.3 or later.