OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/
Publish Date: 2026-04-27 08:29:00
Source Domain: www.securityweek.com
OpenSSH versions released over the past 15 years are affected by a vulnerability leading to full root shell access, and attacks cannot be spotted via log-based detection, data security firm Cyera says.
Tracked as CVE-2026-35414 (CVSS score of 8.1), the flaw is described as a mishandling of the authorized_keys principals option in certain scenarios involving certificate authorities (CA) that use comma characters.
According to Cyera, because of the bug, a comma in an SSH certificate principal name leads to OpenSSH access control bypass, allowing users to authenticate as root on a vulnerable server, as long as they have a valid certificate from a trusted CA.
“The flaw resides in a code reuse error that accidentally allowed a simple comma in a certificate principal to be interpreted as a list separator by the parser, turning a low-privilege identity into a root credential,” Cyera told SecurityWeek.
“The server considers the authentication legitimate, meaning this attack does not register an authentication failure in logs, making log-based detection highly unreliable,” it added.
CVE-2026-35414, the cybersecurity firm explains, involves the principals list, which includes the usernames that a certificate holder may authenticate as, and the authorized_keys principals, which contain the keys the servers use to trust certificates.
The issue is that a function that handles cipher and key-exchange list negotiation compares comma-separated lists of ciphers during key exchange, splits on the comma, and enables authentication if either fragment matches the principal’s value.
Because of the bug, if a certificate contains the principal deploy,root, OpenSSH splits the comma and enables full root access.
A second function that also checks authorization treats the same principal as a single string and denies access. However, if the string matches, the options that run next result in principal…
