OpenSSH versions released over the past 15 years are affected by a vulnerability leading to full root shell access, and attacks cannot be spotted via log-based detection, data security firm Cyera says.
Tracked as CVE-2026-35414 (CVSS score of 8.1), the flaw is described as a mishandling of the authorized_keys principals option in certain scenarios involving certificate authorities (CA) that use comma characters.
Because of the bug, which Cyera dubbed SplitSSHell, a comma in an SSH certificate principal name leads to OpenSSH access control bypass, allowing users to authenticate as root on a vulnerable server, as long as they have a valid certificate from a trusted CA.
“The flaw resides in a code reuse error that accidentally allowed a simple comma in a certificate principal to be interpreted as a list separator by the parser, turning a low-privilege identity into a root credential,” Cyera told SecurityWeek.
“The server considers the authentication legitimate, meaning this attack does not register an authentication failure in logs, making log-based detection highly unreliable,” it added.
SplitSSHell, the cybersecurity firm explains, involves the principals list, which includes the usernames that a certificate holder may authenticate as, and the authorized_keys principals, which contain the keys the servers use to trust certificates.
The issue is that a function that handles cipher and key-exchange list negotiation compares comma-separated lists of ciphers during key exchange, splits on the comma, and enables authentication if either fragment matches the principal’s value.
Because of the bug, if a certificate contains the principal deploy,root, OpenSSH splits the comma and enables full root access.
A second function that also checks authorization treats the same principal as a single string and denies access. However, if the string matches, the options that run next result in principal validation being skipped entirely.
“We wrote a test certificate with a literal comma in the principal field, pointed it at a test server, and got root. The whole thing took about twenty minutes from ‘that looks wrong’ to a working exploit,” Cyera says.
Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them, the company says.
CVE-2026-35414 was resolved in early April in OpenSSH version 10.3. Organizations are advised to audit their environments and update to a patched version as soon as possible.
*Updated to reference SplitSSHell and link to Cyera’s blog.
Related: OpenSSH Patches Vulnerabilities Allowing MitM, DoS Attacks
Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access
Related: Firefox Vulnerability Allows Tor User Fingerprinting
