CVE-2026-35386
Command Injection via Username in OpenSSH Before
Publication date: 2026-04-02
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbsd | openssh | to 10.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenSSH versions before 10.3 and involves the possibility of command execution through shell metacharacters embedded in a username supplied on the command line.
The issue arises when the username is untrusted and when non-default configurations of the % token in ssh_config are used, allowing shell metacharacters in the username to be interpreted and executed as commands.
OpenSSH 10.3 addresses this by improving validation of shell metacharacters in usernames supplied on the command line to prevent arbitrary command execution.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the system by supplying a specially crafted username containing shell metacharacters.
This requires that the attacker can influence the username on the command line and that the ssh_config uses non-default % token configurations.
The impact is limited by the conditions needed to exploit it and the relatively low CVSS base score of 3.6, indicating low to moderate severity with limited confidentiality and integrity impact and no availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command execution via shell metacharacters in usernames supplied on the command line in OpenSSH versions before 10.3, especially when non-default configurations of % tokens in ssh_config are used.
To detect this vulnerability on your system or network, you should check the OpenSSH version in use and review ssh_config for any non-default % token configurations that could be exploited.
Suggested commands to help detect the vulnerability include:
- Check OpenSSH version: `ssh -V`
- Review ssh_config for % token usage: `grep '%' /etc/ssh/ssh_config` or `grep '%' ~/.ssh/config`
- Monitor SSH login attempts with suspicious usernames containing shell metacharacters by checking SSH logs, e.g., `grep -E 'user=.*[;&|$`]' /var/log/auth.log` (path may vary)
Because the vulnerability requires untrusted usernames on the command line and specific ssh_config settings, detection focuses on identifying these conditions and monitoring for unusual login attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain specific information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenSSH to version 10.3 or later, which includes security fixes that improve validation of shell metacharacters in usernames supplied on the command line, preventing arbitrary command execution.
Additional immediate steps include:
- Avoid using untrusted usernames on the SSH command line, especially if your ssh_config uses non-default % token expansions.
- Review and simplify ssh_config to remove or restrict the use of % tokens that could be exploited.
- Implement monitoring and logging of SSH login attempts to detect suspicious activity involving shell metacharacters in usernames.
These steps help reduce the risk of exploitation until the OpenSSH upgrade can be applied.