CVE-2026-35385
Received Received - Intake
Setuid/Setgid Installation Vulnerability in OpenSSH scp Before

Publication date: 2026-04-02

Last updated on: 2026-04-27

Assigner: MITRE

Description
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35385
EUVD
EUVD-2026-18398
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbsd openssh to 10.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-281 The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, avoid using the legacy scp protocol option -O when downloading files as root without the -p option to preserve mode.

Consider upgrading OpenSSH to version 10.3 or later where this issue is resolved.

Executive Summary

This vulnerability exists in OpenSSH versions before 10.3. When using the scp command to download a file as root with the -O option (which uses the legacy scp protocol) and without the -p option (which preserves the file mode), the downloaded file may be installed with setuid or setgid permissions. This behavior can be unexpected and potentially dangerous because it grants elevated privileges to the downloaded file.

Impact Analysis

The impact of this vulnerability is that a file downloaded via scp could unintentionally have setuid or setgid bits set, which means the file could execute with elevated privileges. This can lead to privilege escalation, allowing an attacker or unintended user to gain higher access rights on the system, potentially compromising confidentiality, integrity, and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart