In June 2026, a serious security flaw named CVE-2026-35388 was disclosed in all versions of OpenSSH before 10.3. This vulnerability targets the system’s connection multiplexing logic, letting an attacker bypass confirmation for connection reuse in proxy-mode multiplexing sessions. If you rely on OpenSSH for secure server management or programmatic access, it’s vital to understand this issue and how it may affect your infrastructure.
What is Connection Multiplexing in OpenSSH?
Modern OpenSSH allows users to reuse a single SSH connection for multiple sessions or commands—called *connection multiplexing*. This feature is handy: you can run several ssh or scp commands without having to authenticate every time, making automation and scripting faster.
When a user sets (either globally in ~/.ssh/config or per-command)
Host *
ControlMaster auto
ControlPath ~/.ssh/cm_socket_%r@%h:%p
ControlPersist yes
Subsequent connections reuse the socket, instantly reconnecting.
For sensitive configurations, you’d want confirmation before reusing the master connection, particularly for sessions that proxy traffic using -W, -L, or -D options.
The Flaw: Proxy Multiplexing’s Missing Confirmation
CVE-2026-35388 points to a design mistake in the way OpenSSH handled connection confirmation when proxying via a multiplexed session. The affected logic omits the confirmation prompt for sessions running in *proxy mode* (for example, using ssh -W or ssh -L when connecting via a multiplexed socket).
What’s Wrong?
Clients and users expected the confirmation dialog (like with ControlMaster=autoask), but OpenSSH before 10.3 simply didn't ask for confirmation in proxy-mode sessions. This meant any local process on your system could leap onto an already-authorized SSH connection and proxy traffic to anywhere—even if you thought you’d locked down who could use SSH.
Attack Scenario
Imagine you run an SSH session with connection multiplexing enabled. A local attacker (someone with an account on your workstation) could run:
ssh -S ~/.ssh/cm_socket_bob@myserver:22 -W 10...1:80 bob@myserver
If you had set up ControlMaster=autoask, you’d *expect* a prompt to confirm. But before 10.3, no prompt happened for this proxy connection! The attacker's command would tunnel traffic through your trusted SSH session, bypassing your intent.
`bash
ssh -M -S ~/cm.sock -N user@secure-server
`bash
ssh -S ~/cm.sock -W 192.168.1.100:22 user@secure-server
Result:
- Attacker channels arbitrary traffic via the victim's SSH session, *without* any user confirmation—even if ControlMaster=autoask is set.
All users of OpenSSH before 10.3
- Mostly multi-user systems: If others have accounts on your workstation, including shared environments (like jump hosts, bastion servers, CI runners), you are vulnerable.
Remediation Steps
1. Upgrade to OpenSSH 10.3 or later.
The problem is fully patched in version 10.3.
2. If you cannot upgrade right away:
Restrict local user accounts; prevent untrusted users from logging in.
- Use filesystem permissions to protect your ControlPath sockets (usually in /tmp or your home directory). Don’t place sockets in globally-writable directories.
3. Rotate Secrets.
If you suspect exposure, generate new SSH keys or tokens for affected accounts.
Fix Details and Patch Example
The fix adds a confirmation step for all reused connections, including proxy-mode sessions.
Simulated Patch Snippet
if (mux_client_confirms() || !session_is_proxy) {
// proceed
} else {
// prompt user for confirmation
}
References and Further Reading
(see section on "proxy multiplexing confirmation omission")
- OpenSSH Security Advisories
- CVE Record: CVE-2026-35388 at MITRE
- Multiplexing Documentation
Final Thoughts
CVE-2026-35388 highlights how even trusted system software can have subtle but devastating flaws. If you use OpenSSH’s multiplexing features—especially in multi-user or automated environments—*upgrade immediately* and carefully review your multiplexing security settings.
Stay up to date and scrutinize your system’s user landscape, because sometimes, the biggest risks are close to home.
Timeline
Published on: 04/02/2026 16:57:31 UTC
Last modified on: 04/27/2026 14:12:17 UTC