Security News 8 min read Apr 2, 2026

CVE-2026-35414: OpenSSH Authentication Bypass — A 15-Year-Old Bug That Grants Root Shell

A comma in a certificate principal name is all it takes to bypass SSH access controls entirely. This bug hid in plain sight for 15 years, affecting every organization that relies on SSH certificates for authentication.

Executive Summary

On April 2, 2026, the OpenSSH project disclosed CVE-2026-35414, a high-severity authentication bypass vulnerability that has existed undetected for over 15 years. The flaw resides in how OpenSSH's authorized_keys parser handles the principals option when SSH Certificate Authorities issue certificates containing comma characters in principal names.

An attacker holding a valid certificate from a trusted CA — with a specially crafted principal like "deploy,root" — can trick the parser into interpreting the comma as a list separator. This effectively grants them authentication as any of the resulting split principal names, including root. The attack leaves no trace in authentication logs because it succeeds as a valid certificate login.

8.1
CVSS 3.1 score (High severity)
15 years
Bug existed undetected in OpenSSH
Invisible
No failed auth entries in logs

How the Vulnerability Works

SSH certificates are designed to simplify access management by replacing individual public keys with centrally-issued, short-lived certificates signed by a Certificate Authority (CA). The authorized_keys file on servers can specify which CA to trust and which principals (usernames) a certificate is allowed to authenticate as.

The vulnerability exists in OpenSSH's parsing logic for the principals option. When a certificate is presented during authentication, the server checks if the certificate's principal name matches any of the allowed principals. However, the parser uses the comma character (,) as both:

  • A separator between multiple allowed principals in the authorized_keys line
  • A valid character within a single principal name in the certificate itself

This ambiguity means a certificate issued with the principal "deploy,root" gets parsed as two separate principals: "deploy" and "root". If the server's authorized_keys allows the CA for any principal, the attacker now has root access.

CVE-2026-35414: Certificate Principal Parsing Exploit Flow 1. Attacker Requests Certificate Requests cert with principal: "deploy,root" CA issues valid certificate — comma is legal in names 2. Certificate Presented to Server SSH handshake with valid signed certificate Server sees cert is signed by trusted CA ✓ 3. Principal Parsing Bug (THE VULNERABILITY) authorized_keys: cert-authority principals="deploy,root" ssh-ed25519 AAAA... Parser splits on comma → allows "deploy" OR "root" Intended: single principal "deploy,root" | Actual: two principals "deploy", "root" 4. Authentication Succeeds as Root Attacker obtains root shell — no failed auth logged IDS/SIEM sees normal successful certificate login — completely invisible IMPACT: Full root access with zero detection No brute force • No failed attempts • Valid certificate • Trusted CA signature • Clean logs

The comma in a certificate principal name is misinterpreted as a list separator, granting access to unintended identities including root

Why This Is Devastating

This vulnerability is particularly dangerous for several compounding reasons:

1. It Bypasses the "Gold Standard" of SSH Authentication

SSH certificates are widely considered the most secure method for SSH authentication — superior to password-based or even key-based auth. Organizations that invested in certificate infrastructure believed they had industry-leading security. CVE-2026-35414 shatters that assumption.

2. Attacks Are Completely Invisible

Because the attacker presents a valid, properly-signed certificate, the authentication succeeds normally. There are no failed login attempts, no brute-force patterns, no anomalous entries in /var/log/auth.log or journalctl. SIEM systems, intrusion detection, and audit logs all show a clean, legitimate login. This makes forensic investigation after compromise nearly impossible.

3. It Requires Only a Valid Certificate

The attacker doesn't need to compromise the CA's private key or exploit a separate vulnerability. They only need to obtain a single certificate with a comma-containing principal name from any trusted CA. In organizations using automated certificate issuance (HashiCorp Vault SSH, Netflix BLESS, Smallstep), this is often achievable through normal request channels.

4. 15 Years of Potential Exploitation

The bug has existed since OpenSSH first introduced certificate support. Any organization that has ever used SSH certificates could have been silently compromised without any record of it in their logs.

Critical Question for Your Organization

If an attacker used this vulnerability against your infrastructure last year, would you know? With no failed authentication entries and a valid certificate, there would be zero evidence in standard logging. This is not a hypothetical — this bug existed in the wild for 15 years.

Who Is Affected?

Any organization running OpenSSH versions prior to 10.3 that uses SSH certificate-based authentication is potentially vulnerable. The impact is amplified in environments using:

System / Tool Risk Level Why
Bastion hosts / Jump servers Critical Single point of entry to production — root here means root everywhere
HashiCorp Vault SSH Critical Automated cert issuance — attacker can request certs with crafted principals
Netflix BLESS Critical Lambda-based CA — principal names may not be validated for commas
CI/CD pipelines (GitHub Actions, GitLab, Jenkins) High Automated cert-based deployment access to production servers
Smallstep CA High Internal PKI may issue certs without principal name sanitization
Kubernetes node access High SSH certificates used for node maintenance and debugging
Any custom SSH CA implementation High Likely no input validation on principal names

Timeline

  • ~2011 — OpenSSH introduces certificate-based authentication with the principals option
  • 2011–2026 — Parsing ambiguity exists undetected for approximately 15 years
  • April 2, 2026 — CVE-2026-35414 is published and patched in OpenSSH 10.3
  • April 2, 2026 — OpenSSH 10.3 released with fix

Immediate Mitigation Steps

Update OpenSSH to 10.3+

This is the only complete fix. Prioritize bastion hosts and any internet-facing SSH servers.

Audit your CA's certificate issuance logs

Search for any certificates issued with commas in principal names. These are potential indicators of compromise or pre-positioned attack certificates.

Add input validation to your CA

Reject any certificate signing requests containing commas in principal names. This is a defense-in-depth measure regardless of the OpenSSH patch.

Review authorized_keys files

Identify all servers using cert-authority directives with principals options. These are directly affected.

Enable session recording on critical systems

Since the attack produces no authentication anomalies, session recording is the only way to detect malicious activity post-authentication.

The Deeper Problem: Certificate Auth Alone Is Not Enough

CVE-2026-35414 exposes a fundamental limitation of relying solely on cryptographic authentication — even "strong" authentication — as your access control boundary. The certificate was valid. The signature was correct. The CA was trusted. And yet access was unauthorized.

This pattern repeats across every major infrastructure breach: the authentication succeeds, but the authorization is wrong. Strong authentication is necessary but insufficient. Modern access management requires multiple reinforcing layers:

What Modern Access Control Looks Like

Traditional SSH Certificates Identity-Based Access (OnePAM)
Static trust in CA signature Identity verified through IdP + MFA at every session
Principals parsed locally on each server Centralized policy engine — no local parsing ambiguity
Standing access once cert is issued Just-in-time access with automatic expiration
No visibility into session activity Full session recording with searchable audit trail
Invisible if exploited (no log entries) Every session recorded regardless of auth method
Revocation requires CRL distribution Instant access revocation from central console

The lesson from CVE-2026-35414 is not that SSH certificates are bad — they are still superior to passwords and static keys. The lesson is that authentication alone cannot be your security boundary. You need identity verification, authorization policies, session isolation, just-in-time provisioning, and complete audit trails working together.

Stop Trusting Certificates Blindly

OnePAM replaces static certificate trust with identity-based access that verifies who is connecting, limits what they can do, records everything, and expires access automatically. No parsing bugs. No invisible bypasses. No standing root access.

Start Free Trial

How OnePAM Eliminates This Class of Vulnerability

CVE-2026-35414 exists because of a gap between authentication (proving who you are) and authorization (determining what you can do). OnePAM closes this gap architecturally:

Identity-First, Not Certificate-First

OnePAM authenticates users through your existing Identity Provider (Okta, Azure AD, Google Workspace) with mandatory MFA. Access decisions are made centrally based on verified identity, role, and context — not by parsing certificate fields on individual servers. There is no local parsing step that can be exploited.

Just-In-Time Sessions

Instead of issuing long-lived certificates with static principals, OnePAM grants time-limited sessions that automatically expire. Even if an attacker somehow obtained access, it would last minutes or hours, not indefinitely. There is no standing root access to exploit.

Complete Session Recording

Every SSH session through OnePAM is recorded — commands, output, file transfers — regardless of how authentication occurred. If CVE-2026-35414 had been exploited against a OnePAM-protected system, the attacker's entire session would be captured and reviewable. The "invisible" attack becomes fully visible.

Approval Workflows

Sensitive access (like root on production) can require real-time approval from a team lead or security team before the session is granted. This adds a human verification step that no certificate parsing bug can bypass.

Lessons for Security Teams

CVE-2026-35414 reinforces several principles that security teams should internalize:

  1. Complexity breeds vulnerabilities — The comma-as-separator ambiguity is a trivial parsing oversight, yet it persisted for 15 years in one of the most audited pieces of security software on Earth.
  2. Authentication ≠ Authorization — Proving identity (even strongly) doesn't mean access is appropriate. Separate, explicit authorization decisions are essential.
  3. Invisible attacks require proactive controls — If your security model depends on detecting anomalies in logs, you've already lost when the attack produces no anomalies. Session recording and just-in-time access are proactive, not reactive.
  4. Defense in depth is not optional — A single authentication mechanism (certificates, keys, passwords) should never be your sole access control. Layer identity verification, authorization policies, session limits, and recording together.
  5. Standing access is standing risk — Any access that exists 24/7 is exploitable 24/7. JIT access reduces your attack surface from permanent to ephemeral.

Assess Your Exposure

Run this command on your servers to check your OpenSSH version: ssh -V. Any version below 10.3 is vulnerable. Then check for certificate trust: grep "cert-authority" ~/.ssh/authorized_keys /etc/ssh/authorized_keys*. If both conditions are true, you are actively exposed to CVE-2026-35414.

Remediation Priority Guide

P0 — Immediate (Today)

Patch internet-facing bastion hosts and jump servers to OpenSSH 10.3. Add comma-rejection to your CA's certificate issuance pipeline.

P1 — This Week

Patch all production SSH servers. Audit certificate issuance logs for comma-containing principals. Review CI/CD pipeline certificate configurations.

P2 — This Month

Patch development and staging environments. Evaluate moving from certificate-only auth to identity-based access with session recording. Implement just-in-time access for root-level operations.

Conclusion

CVE-2026-35414 is a sobering reminder that even the most trusted, most audited security infrastructure can harbor simple, devastating bugs for over a decade. A single comma — misinterpreted by a parser — turns legitimate certificate infrastructure into a root access vector that evades all detection.

The fix for this specific bug is straightforward: update to OpenSSH 10.3. But the fix for the class of problem it represents requires rethinking how we approach infrastructure access entirely. Authentication must be paired with authorization. Access must be time-limited. Sessions must be recorded. And no single mechanism — not certificates, not keys, not passwords — should be the sole gatekeeper to your production systems.

Move Beyond Certificate-Only Security

OnePAM provides identity-based access with JIT sessions, full session recording, approval workflows, and instant revocation. Eliminate the class of vulnerability that CVE-2026-35414 represents — not just the specific bug.

Get Started Free
CVE OpenSSH SSH Authentication Bypass Certificate Auth
OnePAM Team
Security & Infrastructure Team

Keep Reading