CVE-2026-35386

EUVD-2026-18400
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.6 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
openbsdopenssh
𝑥
< 10.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssh
bookworm
1:9.2p1-2+deb12u10
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1:8.4p1-5+deb11u7
fixed
forky
1:10.3p1-1
fixed
sid
1:10.3p1-2
fixed
trixie
1:10.0p1-7+deb13u4
fixed
trixie (security)
vulnerable
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssh
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-askpass
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-cavs
RHEL 8
0:8.0p1-29.el8_10
fixed
openssh-clients
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-keycat
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-ldap
RHEL 8
0:8.0p1-29.el8_10
fixed
openssh-server
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
pam
RHEL 8
0:0.10.3-7.29.el8_10
fixed
RHEL 9
0:0.10.4-7.7.el9_8
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2
https://www.openssh.org/releasenotes.html#10.3p1
https://www.openwall.com/lists/oss-security/2026/04/02/3