vulnerability

OpenSSH Vulnerability: CVE-2026-35385

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:H/Au:N/C:C/I:C/A:C)	Apr 28, 2026	Apr 28, 2026	Apr 29, 2026

Severity

CVSS

(AV:N/AC:H/Au:N/C:C/I:C/A:C)

Published

Apr 28, 2026

Added

Apr 28, 2026

Modified

Apr 29, 2026

Description

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Solution

openbsd-openssh-upgrade-10_3

References

CVE-2026-35385
https://attackerkb.com/topics/CVE-2026-35385
CWE-281
EUVD-EUVD-2026-18398
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18398

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report