OpenSSH <=10.2: Cmd Exec via Metachar Username on CLI
CVE-2026-35386 Published on April 2, 2026

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

NVD

Vulnerability Analysis

CVE-2026-35386 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.


Products Associated with CVE-2026-35386

Want to know whenever a new CVE is published for OpenBSD OpenSSH? stack.watch will email you.

OpenBSD OpenSSH
 

Affected Versions

OpenBSD OpenSSH:

Exploit Probability

EPSS
0.01%
Percentile
0.51%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.