The 15-Year Shadow: How a Simple Comma Broke OpenSSH Root Access

adminopenssh3 min read
The 15-Year Shadow: How a Simple Comma Broke OpenSSH Root Access

For security professionals, there are few names more trusted than OpenSSH. It is the gold standard for secure remote access. However, a recently disclosed vulnerability, tracked as CVE-2026-35414, has sent ripples through the community by proving that even the most scrutinized codebases can harbor critical flaws for over a decade.

According to a detailed report by SecurityWeek, this vulnerability has existed in OpenSSH versions released over the last 15 years. If exploited, it grants an attacker full root shell access—and it does so without leaving a trace in the standard authentication logs.

The Vulnerability: Death by Comma

The flaw isn’t found in the encryption itself, but in how OpenSSH parses “principals” (the identities or roles allowed to log in) within SSH certificates.

The issue stems from a classic code reuse error. One specific function responsible for handling cipher and key-exchange lists was repurposed to handle the certificate principals list. Because cipher lists are traditionally comma-separated, this function interpreted any comma within a certificate principal as a list separator.

How it works in practice: Imagine a low-privileged user is issued a certificate with the principal name deploy,root.

  1. The vulnerable parser sees the comma and splits the string into two separate entities: deploy and root.
  2. Because root is now seen as a valid authorized principal, the server grants the user full root access.
  3. A second validation check sees the string as a single unit, but due to the logic flow, once the first check passes, certain security options are skipped, and the authentication is treated as legitimate.

Why This is a “Silent” Killer

Most automated security tools and SOC (Security Operations Center) teams rely on logs to detect brute-force attacks or unauthorized access attempts.

The terrifying part of CVE-2026-35414 is that the server views the malicious login as a “successful” authorized connection. There are no “Failed Login” entries to trigger alerts, making log-based detection almost entirely unreliable for spotting this specific exploit.

Impact and Remediation

The researchers at Cyera, who discovered the flaw, noted that they were able to go from identifying the bug to a working root exploit in just 20 minutes. For an attacker with a valid certificate from a trusted Certificate Authority (CA), this is an open door to an organization’s most sensitive infrastructure.

What you need to do:

  • Update Immediately: The vulnerability was resolved in early April with the release of OpenSSH version 10.3.
  • Audit Your CA: Check if your Certificate Authority allows the use of literal commas in principal fields.
  • Patch Management: Ensure that all servers—especially those exposed to the public internet—are running the latest patched version.

Final Thoughts

This discovery is a sobering reminder of the “Technical Debt” inherent in long-standing open-source projects. A 15-year-old bug reminds us that “battle-tested” doesn’t mean “invincible.”

For the full technical breakdown of the discovery, head over to the original coverage on SecurityWeek.