A critical vulnerability discovered in OpenSSH has been found to affect versions released over the past 15 years, potentially allowing attackers to gain full root shell access on vulnerable systems.
The flaw, tracked as CVE-2026-35414 with a CVSS score of 8.1, stems from how OpenSSH processes certificate principals in certain configurations. Specifically, the issue arises when a comma is included in a certificate principal name, which the system mistakenly interprets as a separator for multiple entries.
Due to this parsing error, an attacker with a valid certificate from a trusted certificate authority (CA) could bypass access controls and escalate privileges to root. Researchers explained that “a simple comma in a certificate principal” could effectively transform a low-privilege identity into one with full administrative access.
The vulnerability originates from a code reuse issue in OpenSSH’s handling of comma-separated values during key exchange and authentication processes. When a crafted principal such as “deploy,root” is processed, the system splits the values and may incorrectly grant root-level access.
A major concern highlighted by researchers is that exploitation of this flaw may not be detectable through standard log-based monitoring, making it particularly difficult for organizations to identify ongoing attacks.
The issue underscores the long-term risks posed by legacy code and subtle implementation errors in widely used infrastructure software. Given OpenSSH’s extensive deployment across servers and enterprise environments, organizations are strongly advised to review configurations and apply available patches to mitigate potential exploitation.
