πŸ›οΈ Architecture

OpenSSH CVE-2026-35414 β€” Certificate Authentication Bypass via Comma Bug Grants Root Access

A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.

4 min read
#openssh#cve#certificate-authentication#cryptography#linux#infrastructure-security#privileged-access

Cyera security researchers have disclosed CVE-2026-35414, a certificate authentication bypass in OpenSSH that they have named SplitSSHell. The vulnerability originates in a parsing defect when processing Subject Alternative Name (SAN) fields in OpenSSH certificates: a comma character in a SAN field causes OpenSSH’s certificate validation logic to incorrectly split and truncate the SAN during principal matching, resulting in the authentication check returning a false success against an invalid certificate.

The practical consequence is that an attacker in possession of any certificate signed by a trusted Certificate Authority β€” even a certificate with entirely different principal names β€” can, under specific conditions, authenticate to a host that accepts that CA’s certificates for user or host authentication. In environments where a single SSH CA issues certificates for all infrastructure, the scope of exposure is organisation-wide.

How SplitSSHell Works

OpenSSH certificate authentication works by validating that a presented certificate is:

  1. Signed by a trusted CA (listed in TrustedUserCAKeys or AuthorizedPrincipalsFile)
  2. Valid for the principal (username) being used to authenticate
  3. Within its validity period and not revoked

The vulnerability lies in step 2. When parsing the valid principals field of an OpenSSH certificate, the code processes comma-delimited principal names. Cyera researchers discovered that a certificate with a SAN crafted to include a comma within a principal name β€” specifically a format such as user@host, (with a trailing comma) or user1,user@target β€” causes the parser to incorrectly identify the target username as a valid principal when it is not.

The attack requires possession of a certificate signed by any CA trusted by the target host. In environments using short-lived certificates issued by internal CAs (a common pattern for zero-trust SSH access architectures), a legitimate certificate from an earlier session could be repurposed with manipulation of the principal field β€” though exploiting this in practice depends on the precise certificate format the CA uses.

Affected Versions and Patch Status

CVE-2026-35414 affects OpenSSH versions 7.4 through 9.8p1 β€” covering the full range of versions in which certificate authentication via the current X.509-inspired format is supported. A patch is included in OpenSSH 9.9p1, released 5 May 2026.

Linux distributions will ship patched packages via their standard repositories. Update via your distribution’s package manager:

  • Debian/Ubuntu: apt update && apt install openssh-server openssh-client
  • RHEL/Rocky/AlmaLinux: dnf update openssh
  • Fedora: dnf update openssh

Who Is Affected

The vulnerability exclusively affects deployments using OpenSSH certificate authentication β€” specifically, environments where:

  • TrustedUserCAKeys is configured in sshd_config to accept certificates from an internal CA, or
  • AuthorizedPrincipalsFile is used to map certificate principals to system users

Password authentication and public key (non-certificate) authentication are unaffected. The majority of consumer and standard server SSH deployments using authorized_keys files are not vulnerable.

The affected population disproportionately includes:

  • Zero-trust SSH architectures using certificate-issuing proxies such as Hashicorp Vault SSH secrets engine, Teleport, or custom OpenSSH CA implementations
  • Enterprise infrastructure that has adopted certificate-based SSH as the preferred alternative to static SSH keys for privileged access management
  • CI/CD and automation platforms issuing short-lived SSH certificates for pipeline access to deployment targets

Interim Mitigations

If immediate patching is not possible:

  1. Audit CA certificate trust: Confirm that TrustedUserCAKeys entries reference only CAs that issue certificates with principal names not containing commas or other punctuation that could affect parsing
  2. Disable certificate authentication temporarily: Revert to authorized_keys-based authentication until patching is complete. For environments using certificate-based zero-trust SSH, this requires coordination with the access management platform
  3. Enable certificate revocation lists: Ensure your SSH CA is configured to check CRLs or OCSP and revoke any certificates with malformed principal fields

This vulnerability demonstrates the risk of subtle parser defects in cryptographic authentication code β€” a single character handling difference that collapses an authentication boundary in one of the most widely deployed network services in enterprise infrastructure.

Share this article