The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35414

CVE-2026-35414: OpenSSH Information Disclosure Vulnerability

CVE-2026-35414 is an information disclosure vulnerability in OpenSSH before 10.3 affecting authorized_keys principals handling. This post covers the technical details, affected versions, security impact, and mitigation.

Published: April 2, 2026

CVE-2026-35414 Overview

OpenSSH before version 10.3 contains an input validation vulnerability in the handling of the authorized_keys principals option. The vulnerability occurs in uncommon scenarios where a principals list is used in conjunction with a Certificate Authority that makes certain use of comma characters. This improper handling could allow an attacker with low privileges to bypass intended access restrictions in specific certificate-based authentication configurations.

Critical Impact

Improper handling of the authorized_keys principals option may allow unauthorized access to SSH resources when certificate-based authentication with specially crafted principal names is in use.

Affected Products

  • OpenSSH versions prior to 10.3
  • OpenSSH Portable versions prior to 10.3p1
  • Systems using certificate-based SSH authentication with principals lists containing comma characters

Discovery Timeline

  • 2026-04-02 - CVE-2026-35414 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-35414

Vulnerability Analysis

This vulnerability is classified under CWE-670 (Always-Incorrect Control Flow Implementation), indicating a fundamental flaw in how OpenSSH processes the principals option within authorized_keys files when used alongside Certificate Authority configurations.

The issue arises when comma characters are present in principal names defined within certificates issued by a Certificate Authority. OpenSSH uses commas as delimiters in the principals list within authorized_keys entries. When a certificate contains principal names that include comma characters, the parsing logic incorrectly interprets these embedded commas as delimiters, leading to improper principal matching.

This vulnerability requires network access and low-level privileges to exploit, though the attack complexity is high due to the specific configuration requirements. Successful exploitation could result in limited confidentiality and integrity impacts, allowing an attacker to potentially authenticate as a different principal than intended.

Root Cause

The root cause lies in inadequate input validation and improper parsing of the principals field in authorized_keys entries. The OpenSSH code fails to properly escape or handle comma characters that appear within principal names issued by Certificate Authorities. This leads to ambiguous parsing where a single principal containing a comma may be incorrectly interpreted as multiple principals.

The flaw manifests in the control flow logic that matches certificate principals against the allowed principals list, resulting in always-incorrect behavior when commas are present in principal names.

Attack Vector

The attack vector requires network access to the SSH service. An attacker would need:

  1. A valid SSH certificate issued by a trusted Certificate Authority
  2. The certificate must contain principal names with embedded comma characters
  3. The target system must be configured to use certificate-based authentication with a principals list in authorized_keys
  4. The attacker must have low-level authenticated access to attempt exploitation

In vulnerable configurations, the improper parsing of comma-delimited principals could allow an attacker to match against principals they should not have access to, potentially escalating their access within the SSH infrastructure.

Due to the specific configuration requirements and the need for an existing relationship with a trusted Certificate Authority, exploitation in the wild is considered difficult but possible in environments heavily relying on SSH certificate authentication.

Detection Methods for CVE-2026-35414

Indicators of Compromise

  • Unexpected SSH authentication successes for users with certificate principals containing comma characters
  • Authentication log entries showing principal mismatches or unusual principal name patterns
  • SSH audit logs indicating access to resources outside a user's normal principal scope

Detection Strategies

  • Review SSH authentication logs for certificates with principals containing comma characters
  • Audit authorized_keys files for entries using the principals= option in conjunction with certificate authentication
  • Monitor for authentication patterns where users gain access to resources not explicitly listed in their certificate principals
  • Implement log correlation to detect anomalous SSH access patterns

Monitoring Recommendations

  • Enable verbose SSH logging (LogLevel VERBOSE or LogLevel DEBUG) to capture detailed authentication information
  • Configure centralized log collection for all SSH authentication events
  • Set up alerts for authentication attempts using certificates with unusual principal name formats
  • Regularly audit Certificate Authority issued certificates for principal names containing special characters

How to Mitigate CVE-2026-35414

Immediate Actions Required

  • Upgrade OpenSSH to version 10.3 or later immediately
  • For OpenSSH Portable installations, upgrade to version 10.3p1 or later
  • Review all authorized_keys files using the principals= option and assess exposure
  • Audit Certificate Authority configurations to identify certificates with comma-containing principals

Patch Information

The vulnerability is addressed in OpenSSH version 10.3 and OpenSSH Portable version 10.3p1. The fix implements proper handling and escaping of comma characters within principal names, ensuring correct parsing of the principals option in authorized_keys entries.

For detailed release information, refer to the OpenSSH Release Notes 10.3p1. Additional technical discussion is available on the OpenSSH Development Mailing List and the OpenWall OSS Security Discussion.

Workarounds

  • Avoid using comma characters in certificate principal names until the patch is applied
  • Consider restricting certificate-based authentication to use explicit key-based authentication temporarily
  • Implement additional access controls at the network layer to limit SSH exposure
  • Use the AuthorizedPrincipalsFile directive with strict principal naming conventions that exclude special characters
bash
# Configuration example - Restrict SSH to patched versions and enable detailed logging
# /etc/ssh/sshd_config

# Enable verbose logging for authentication events
LogLevel VERBOSE

# Restrict certificate authentication if unable to patch immediately
# Uncomment to disable certificate-based authentication temporarily
# TrustedUserCAKeys none

# Use strict principal file with controlled naming conventions
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

# Ensure proper permissions on principals files
# chmod 644 /etc/ssh/auth_principals/*
# chown root:root /etc/ssh/auth_principals/*

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechOpenssh
  • SeverityMEDIUM
  • CVSS Score4.2
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-670
  • Technical References
  • OpenSSH Development Mailing List
  • OpenSSH Release Notes 10.3p1
  • OpenWall OSS Security Discussion
  • Related CVEs
  • CVE-2026-21670: SSH Credential Disclosure Vulnerability
  • CVE-2020-14145: OpenSSH Information Disclosure Vulnerability
  • CVE-2024-39894: OpenSSH Timing Attack Vulnerability
  • CVE-2026-35388: OpenSSH Privilege Escalation Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English