OpenSSH <10.3: Missing confirmation in proxymode multiplexing: CVE-2026-35388 April 2026

OpenSSH <10.3: Missing confirmation in proxymode multiplexing
CVE-2026-35388 Published on April 2, 2026

OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Vulnerability Analysis

CVE-2026-35388 is exploitable with local system access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Unprotected Alternate Channel

The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

Products Associated with CVE-2026-35388

Want to know whenever a new CVE is published for OpenBSD OpenSSH? stack.watch will email you.

Affected Versions

Before 10.3 is affected.

OpenSSH <10.3: Missing confirmation in proxymode multiplexingCVE-2026-35388 Published on April 2, 2026

Vulnerability Analysis

Weakness Type

Unprotected Alternate Channel

Products Associated with CVE-2026-35388

Affected Versions

OpenSSH <10.3: Missing confirmation in proxymode multiplexing
CVE-2026-35388 Published on April 2, 2026