""The flaw resides in a code reuse error that accidentally allowed a simple comma in a certificate principal to be interpreted as a list separator by the parser, turning a low-privilege identity into a root credential.""
""The server considers the authentication legitimate, meaning this attack does not register an authentication failure in logs, making log-based detection highly unreliable.""
""If a certificate contains the principal deploy,root, OpenSSH splits the comma and enables full root access.""
OpenSSH versions released in the last 15 years are vulnerable to CVE-2026-35414, allowing unauthorized root access through a flaw in handling certificate principals. A comma in the principal name can bypass access control, enabling users with valid certificates from trusted CAs to authenticate as root. This vulnerability arises from a code reuse error that misinterprets a comma as a list separator. Consequently, the server does not log authentication failures, making detection through logs unreliable.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]