A longstanding vulnerability in OpenSSH, present for the last 15 years, has been discovered to allow full root shell access without detection through log-based monitoring, according to cybersecurity firm Cyera. This flaw, identified as CVE-2026-35414, has a CVSS score of 8.1, indicating its severity.
Understanding the Vulnerability
The issue arises from the misuse of the authorized_keys principals option in specific scenarios involving certificate authorities using comma characters. This vulnerability permits an attacker to bypass OpenSSH access control and authenticate as root on servers, provided they have a valid certificate from a trusted CA.
Cyera explained that a bug in code handling mistakenly treated a comma within a certificate principal name as a list separator. As a result, a low-privilege identity could be incorrectly elevated to root credentials. This oversight allows the server to process the authentication as legitimate, thus bypassing log-based detection mechanisms.
Technical Details and Impact
The CVE-2026-35414 vulnerability specifically affects the principals list, which includes usernames a certificate holder can authenticate as, and the authorized_keys principals, which are keys that servers trust for authentication. A flaw during the negotiation of cipher and key-exchange lists, where comma-separated lists are split and matched, facilitates this unauthorized access.
In cases where certificates contain principals like deploy,root, the flawed parsing enables root access due to the incorrect splitting by commas. Despite a secondary authorization check that treats the principal as a single string, if it matches, subsequent processes skip principal validation entirely.
Resolution and Recommendations
Cyera demonstrated the exploit by crafting a test certificate with a comma in the principal field, effectively gaining root access on a test server within minutes. This vulnerability could potentially grant attackers root access across an organization’s servers if the vulnerable protocol is in use.
The issue was addressed with the release of OpenSSH version 10.3 in early April. Organizations are strongly urged to audit their systems and update to the latest patched version to mitigate the risk posed by this vulnerability.
As a precaution, it is crucial for IT departments to regularly update their software and perform thorough security audits to ensure that similar vulnerabilities are identified and patched promptly.
