15-Year-Old OpenSSH Vulnerability Grants Unrestricted Root Access

OpenSSH Flaw Allowing Full Root Shell Access Discovered After 15-Year Lag

Researchers at security firm Cyera have uncovered a critical vulnerability in OpenSSH versions dating back 15 years, which allows attackers to gain full root shell access.

Critical Details

• The weakness, tracked as CVE-2026-35414, carries a CVSS score of 8.1.
• The issue stems from a mismanagement of the authorized_keys principals option when dealing with certificate authorities (CA) that utilize commas.

The issue lies in the handling of the principals list, which comprises usernames that a certificate holder may authenticate as, and the authorized_keys principals, containing keys the servers rely on to trust certificates. A function that manages cipher and key-exchange list negotiations mistakenly enables authentication upon splitting comma-separated lists of ciphers, treating each fragment as a separate entry.

Exploitation and Mitigation

• A certificate containing the principal ‘deploy,root’ results in OpenSSH splitting the comma and granting full root access, whereas another function treats the same principal as a single string and denies access.
• By leveraging this discrepancy, attackers can successfully exploit the vulnerability, gaining unauthorized access to all servers running vulnerable protocols.
• Organizations are advised to perform thorough audits of their environments and immediately update to a patched version of OpenSSH, specifically version 10.3.

Failure to address this vulnerability leaves companies vulnerable to potential attacks, highlighting the importance of proactive security measures.

Related Vulnerabilities

• OpenSSH has recently addressed vulnerabilities allowing for Man-in-the-Middle (MitM) and Denial-of-Service (DoS) attacks.
• A different Linux vulnerability known as Pack2TheRoot also grants attackers root access.

About Author

Vaibhav

See author's posts