Critical error in OpenSSH: A comma leads to root access
A serious security flaw in OpenSSH affects numerous versions of the remote access software from the past 15 years. Under certain conditions, attackers could gain full root access to affected servers.
Attacks difficult to detect
The bug has now been discovered by experts from the security company Cyera. These pointed to a particularly problematic circumstance: According to the researchers, an attack can hardly be detected using conventional log files, reports the specialist magazine SecurityWeek. The vulnerability has the identifier CVE-2026-35414 and is classified as high risk with a CVSS score of 8.1. The cause is therefore an error in the processing of certain access rules in connection with SSH certificates and Certificate Authorities (CA). This affects scenarios in which a comma is used within a certificate name.
According to Cyera, it is precisely this special character that can cause OpenSSH access controls to be bypassed. Users with a valid certificate from a trustworthy certification authority could potentially log in as administrator (root) even though they don’t actually have permission to do so. According to the security researchers, the problem is caused by a programming error in the reuse of code.
A function incorrectly interpreted the comma as a separator for multiple entries. This could inadvertently turn an identity with limited rights into root access. The server classifies the login process as regular. Failed login attempts would therefore not be logged, which makes detection via traditional security monitoring much more difficult.
Patch is already here
To illustrate, Cyera gives an example: If a certificate contains the principal name “deploy,root”, OpenSSH internally breaks this value into several parts. In certain processes, this enables root access. A further test routine partially detects the error, but can also be bypassed under certain conditions. The researchers report that they developed a working test attack in around 20 minutes. If an infrastructure is configured to be vulnerable, attackers could, in the worst case scenario, access numerous servers within a company.
The vulnerability was fixed at the beginning of April with the release of OpenSSH 10.3. Companies and administrators are strongly recommended to check their systems and update them to the latest version in a timely manner. In addition, the certificate structures and access rules used should be checked to rule out similar misconfigurations.
