Zero Day MonitorZDM

← Back to list

EST

PRE-CVEEXPLOITEDPATCHED

OpenSSH · openssh

OpenSSH Command-Line Username Metacharacter Validation Bypass

56% confidence

Description

Validation of shell metacharacters in user names supplied on the command-line was performed too late to prevent some situations where they could be expanded from %-tokens in ssh_config. For certain configurations, such as those that use a "%u" token in a "Match exec" block, an attacker who can control the user name passed to ssh(1) could potentially execute arbitrary shell commands.

Affected Products

Vendor	Product	Versions
OpenSSH	openssh	< 10.3

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

10.3

CWECWE-78

PublishedApr 3, 2026

Last enriched3h agov2

Tags

command-injectionsshmetacharacter-bypass

Trending Score46

Source articles1

Independent1

Info Completeness9/14

Missing: cve_id, cvss, epss, kev, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-35414EXP

CVE-2026-35414: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list i

LOWCVE-2026-35387EXP

CVE-2026-35387: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or H

HIGHCVE-2026-35385

CVE-2026-35385: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' e

HIGHCVE-2026-0964EXP

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or confi

OpenSSH 10.3 Security Fixes for Command Injection and Certificate Principal Matching Vulnerabilities

Pin to Dashboard

Verification

State: archived

Confidence: 56%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Actively Exploited

Apr 3, 2026

Exploit Available

Apr 3, 2026

Patch Available

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: description, vendor, exploitAvailable, activelyExploited

Apr 3, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated description with more technical detail, added vendor OpenSSH, and marked exploit as available and actively exploited.

descriptionvendorexploitAvailableactivelyExploited

via oss-security

v14h ago

Initial creation