CVE-2026-35385: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' e

Description

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Affected Products

Vendor	Product	Versions
openssh	openssh	0

References

Related News (2 articles)

Tier C

oss-security6h ago

Re: Announce: OpenSSH 10.3 released

→ No new info (linked only)

Tier C

VulDB22h ago

CVE-2026-35385 | OpenSSH up to 10.2 scp permissions

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

10.2

CWECWE-281

PublishedApr 2, 2026

Last enriched21h agov2

Trending Score43

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 21h ago

v2Tier C21h ago

Updated severity to CRITICAL and corrected patch availability to 10.2.

severitypatchAvailable

via VulDB

v121h ago

Initial creation

CVE-2026-35385: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' e

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (4)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History