CVE-2026-35386 - Vulnerability Details - OpenCVE

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Openbsd	Openssh

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Openbsd	Openssh

References

Link	Providers
https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2
https://www.openssh.org/releasenotes.html#10.3p1
https://www.openwall.com/lists/oss-security/2026/04/02/3

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
First Time appeared		Openbsd Openbsd openssh
Weaknesses		CWE-696
CPEs		cpe:2.3:a:openbsd:openssh::::::::
Vendors & Products		Openbsd Openbsd openssh
References		https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 https://www.openssh.org/releasenotes.html#10.3p1 https://www.openwall.com/lists/oss-security/2026/04/02/3
Metrics		cvssV3_1 `{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-02T16:44:27.806Z

Updated: 2026-04-03T03:55:45.599Z

Reserved: 2026-04-02T16:44:27.451Z

Link: CVE-2026-35386

Vulnrichment

Updated: 2026-04-02T17:12:17.154Z

NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:27.623

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35386

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:18:26Z

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-35386", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-02T16:44:27.451Z", "datePublished": "2026-04-02T16:44:27.806Z", "dateUpdated": "2026-04-03T03:55:45.599Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSH", "vendor": "OpenBSD", "versions": [{"lessThan": "10.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-696", "description": "CWE-696 Incorrect Behavior Order", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:15:59.616Z"}, "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-35386"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T03:55:45.599Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T17:12:12.941376Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:12:17.154Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenBSD", "product": "OpenSSH", "versions": [{"status": "affected", "version": "0", "lessThan": "10.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-696", "description": "CWE-696 Incorrect Behavior Order"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:15:59.616Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35386", "state": "PUBLISHED", "dateUpdated": "2026-04-03T03:55:45.599Z", "dateReserved": "2026-04-02T16:44:27.451Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T16:44:27.806Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSSH", "source": "cna", "vendor": "OpenBSD"}, "product": "openssh", "vendor": "openbsd"}], "analysis": {"en": {"generated_at": "2026-04-02T22:57:49.030198+00:00", "value": {"mitigation_remediation": ["Update OpenSSH to version 10.3p1 or newer.", "Ensure that the '%' character in ssh_config remains at its default value and that no untrusted usernames are passed as command\u2011line arguments.", "Review SSH configuration files for custom settings that allow untrusted input in command contexts and remove or restrict them.", "Monitor SSH logs for unusual command execution patterns and investigate any anomalies."], "summary": {"action": "Patch Now", "impact": "Command Execution via Untrusted Username"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenBSD OpenSSH implementation, specifically all releases before 10.3. Users who run pre\u201110.3 binaries and provide untrusted user names in command\u2011line contexts with non\u2011default settings in ssh_config are at risk.", "description_and_impact": "In OpenSSH versions prior to 10.3, a flaw allows shell metacharacters included in a user name supplied on the command line to be interpreted as executable commands. This vulnerability permits an attacker to run arbitrary system commands during an SSH session, effectively compromising the host\u2019s confidentiality, integrity, and availability. The weakness aligns with CWE\u2011696, indicating improper handling of user-supplied input leading to command injection.", "risk_and_exploitability": "The CVSS score of 3.6 signals a low severity level, but the necessity for an untrusted username and altered % settings in ssh_config makes exploitation less likely. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote via SSH, though the requirement for non\u2011default configuration suggests that real\u2011world exploitation would be constrained unless administrators have permissive settings."}}}}, "created": "2026-04-03T07:32:35.774394+00:00", "updated": "2026-04-03T09:18:26.867531+00:00", "vendors": ["openbsd", "openbsd$PRODUCT$openssh"]}