The issue is that a function that handles cipher and key-exchange list negotiation compares comma-separated lists of ciphers during key exchange, splits on the comma, and enables authentication if either fragment matches the principal’s value.Because of the bug, if a certificate contains the principaldeploy,root, OpenSSH splits the comma and enables full root access.A second function that also checks authorization treats the same principal as a single string and denies access. However, if the string matches, the options that run next result in principal validation being skipped entirely.“We wrote a test certificate with a literal comma in the principal field, pointed it at a test server, and got root. The whole thing took about twenty minutes from ‘that looks wrong’ to a working exploit,” Cyera says.Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them, the company says.CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
Because of the bug, if a certificate contains the principaldeploy,root, OpenSSH splits the comma and enables full root access.A second function that also checks authorization treats the same principal as a single string and denies access. However, if the string matches, the options that run next result in principal validation being skipped entirely.“We wrote a test certificate with a literal comma in the principal field, pointed it at a test server, and got root. The whole thing took about twenty minutes from ‘that looks wrong’ to a working exploit,” Cyera says.Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them, the company says.CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
A second function that also checks authorization treats the same principal as a single string and denies access. However, if the string matches, the options that run next result in principal validation being skipped entirely.“We wrote a test certificate with a literal comma in the principal field, pointed it at a test server, and got root. The whole thing took about twenty minutes from ‘that looks wrong’ to a working exploit,” Cyera says.Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them, the company says.CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
“We wrote a test certificate with a literal comma in the principal field, pointed it at a test server, and got root. The whole thing took about twenty minutes from ‘that looks wrong’ to a working exploit,” Cyera says.Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them, the company says.CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them, the company says.CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
Related:OpenSSH Patches Vulnerabilities Allowing MitM, DoS AttacksRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
Related:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
Related:Firefox Vulnerability Allows Tor User FingerprintingRelated:Cursor AI Vulnerability Exposed Developer Devices
Related:Cursor AI Vulnerability Exposed Developer Devices
Source: SecurityWeek
