OpenSSH “SplitSSHell” Shows How One Parsing Bug Can Break Trusted Remote Access

A major infrastructure vulnerability disclosed this week affected OpenSSH, the remote-access software used across Linux, Unix, cloud, and enterprise environments. The flaw, tracked as CVE-2026-35414 and publicly named “SplitSSHell” by Cyera, involves how OpenSSH handled certificate principal names containing comma characters in certain authorized_keys configurations.

The vulnerability is important because OpenSSH is one of the most trusted remote administration tools in the world. Cyera said the issue existed from OpenSSH 5.6 through 10.2p1 and was fixed in OpenSSH 10.3/10.3p1. The risk centers on certificate-based authentication, where a crafted SSH certificate principal containing a comma could be interpreted incorrectly and bypass intended access restrictions under affected configurations.

SecurityWeek reported that Cyera described the flaw as a code reuse error where a comma in a certificate principal could be treated as a list separator, potentially turning a low-privilege identity into a root credential. Singapore’s Cyber Security Agency also issued an alert warning that successful exploitation could allow an authenticated attacker to bypass access controls and gain unauthorized root access on affected systems.

The affected software is OpenSSH before version 10.3 in configurations using the relevant certificate-authority and authorized_keys principal restrictions. This does not mean every OpenSSH server is automatically exploitable. The more precise risk is for environments using affected certificate-authentication patterns where a CA can issue or be tricked into issuing a certificate containing attacker-influenced principal content.

The exploit status is proof-of-concept and configuration-dependent based on the public reporting reviewed. A GitHub repository exists for lab reproduction of CVE-2026-35414, and Cyera’s research explains the issue publicly. That raises the urgency for administrators because even when exploitation requires specific conditions, public technical detail can accelerate testing against exposed enterprise configurations.

Indicators of compromise are difficult because this issue can appear as legitimate authentication rather than a failed login. SecurityWeek reported Cyera’s warning that the server may treat the authentication as valid, which makes simple failed-login monitoring unreliable. Defenders should review SSH certificate-authentication configurations, certificate principal values, unusual root logins, unexpected successful SSH sessions, CA issuance logs, and privileged access patterns that do not match normal administrative behavior.

This matters in the current threat landscape because identity and trust logic are becoming as important as memory corruption bugs. OpenSSH is not just another application; it is the control channel for servers, cloud systems, developer infrastructure, and administrative access. A parsing flaw in that trust path can undermine carefully designed access policies.

For everyday users, the effect is mostly indirect. Users may never configure SSH certificates themselves, but they depend on companies, cloud providers, hosting platforms, software vendors, and IT teams that use SSH to manage systems. If remote administration controls fail, the services users rely on can face data exposure, downtime, or unauthorized administrative access.

Cybersecurity professionals should use this event to review SSH certificate authentication, CA issuance controls, authorized_keys restrictions, privileged login policies, and upgrade plans. The deeper lesson is that access-control logic deserves the same scrutiny as exposed network services. A server does not have to crash or show obvious brute-force attempts for access control to fail.

Relevant tools include vulnerability scanners, SSH configuration auditing, SIEM, privileged access management, certificate authority logging, EDR for Linux servers, cloud workload protection, file-integrity monitoring, and centralized authentication telemetry. Teams should specifically look for where SSH certificate-based access is used, which principals are allowed, and whether root or privileged accounts can be reached through certificate rules.

Mitigation is to update OpenSSH to 10.3 or later where applicable, review certificate-authority trust configuration, restrict principal issuance, audit authorized_keys entries using principals=, and monitor for abnormal SSH sessions. Organizations should also remove unnecessary root SSH access and enforce least-privilege administration wherever possible.

CVE number: CVE-2026-35414.

CVSS score / severity: High severity in public advisories; CSA Singapore described the impact as unauthorized root access in affected configurations. NVD and vendor scoring should be checked in operational environments because real exposure depends on certificate-authentication configuration.

Sources: Cyera Research “SplitSSHell,” published April 2026; SecurityWeek, published April 2026; CSA Singapore alert AL-2026-045, published April 2026; NVD/CVE-related OpenSSH records; Tenable plugin coverage for OpenSSH before 10.3.

‍