OPENSSH versions released over the past 15 years are affected by a vulnerability leading to full root shell access, and attacks cannot be spotted via log-based detection, according to Cyera. Tracked as CVE-2026-35414 (CVSS 8.1), the flaw is a mishandling of the authorized_keys principals option in certain CA scenarios that use comma characters.
According to Cyera, a comma in a certificate principal name can bypass access control, enabling root authentication on a vulnerable server as long as a valid certificate from a trusted CA is present. The bug arises because a function handling cipher and key-exchange lists splits on commas, which can turn a low-privilege identity into a root credential. A test certificate with a literal comma in the principal field produced root access on a test server, Cyera said, after about twenty minutes from noticing the issue.
CVE-2026-35414 was resolved in early April in OpenSSH version 10.3, and organisations are advised to audit their environments and update to a patched version as soon as possible.