vulnerability

OpenSSH Vulnerability: CVE-2026-35386

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:L/AC:M/Au:S/C:P/I:P/A:N)	Apr 28, 2026	Apr 28, 2026	Apr 28, 2026

Severity

CVSS

(AV:L/AC:M/Au:S/C:P/I:P/A:N)

Published

Apr 28, 2026

Added

Apr 28, 2026

Modified

Apr 28, 2026

Description

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Solution

openbsd-openssh-upgrade-10_3

References

CVE-2026-35386
https://attackerkb.com/topics/CVE-2026-35386
CWE-696
EUVD-EUVD-2026-18400
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18400

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report