CVE-2026-35388PATCHED

openbsd · openssh

CVE-2026-35388: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Description

OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Affected Products

Vendor	Product	Versions
openbsd	openssh	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	qradar siem	cert_advisory	90%
open source	openssh	cert_advisory	90%

References

Related News (5 articles)

Tier B

BSI Advisories21d ago

[NEU] [hoch] IBM QRadar SIEM: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

BSI Advisories70d ago

[NEU] [mittel] OpenSSH: Mehrere Schwachstellen

→ No new info (linked only)

Tier A

Microsoft MSRC70d ago

CVE-2026-35388

→ No new info (linked only)

Tier C

oss-security74d ago

Re: Announce: OpenSSH 10.3 released

→ No new info (linked only)

Tier C

VulDB75d ago

CVE-2026-35388 | OpenSSH up to 10.2 Proxy-mode Multiplexing Session unprotected alternate channel

→ No new info (linked only)

CVSS 3.12.5 LOW

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

10.3

CWECWE-420

PublishedApr 2, 2026

Last enriched75d agov2

Trending Score4

Source articles5

Independent4

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-55706

CVE-2026-55706: sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values f

Trending: 35

HIGHPRE-CVE

OpenBSD sppp_pap_input PAP Authentication Bypass Vulnerability

Trending: 26

HIGHCVE-2026-35385

CVE-2026-35385: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' e

Trending: 6

LOWCVE-2026-35386EXP

CVE-2026-35386: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This r

Trending: 3

MEDIUMCVE-2026-35414EXP

CVE-2026-35414: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list i

Trending: 3

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 2, 2026

Discovered by ZDM

Apr 2, 2026

Updated: affectedVersions, severity

Apr 2, 2026

Patch Available

Apr 2, 2026

Version History

Last enriched 75d ago

v2Tier C75d ago

Updated affected versions to include 10.2, changed severity to MEDIUM, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v175d ago

Initial creation