Primary

Context

OpenSSH Command Injection Vulnerability via Shell Metacharacters in Usernames

Vulnerability

Patched

A command injection vulnerability has been identified in OpenSSH versions prior to 10.3. This issue arises when shell metacharacters are included in usernames on the command line, allowing for arbitrary command execution. The vulnerability requires that the username is untrusted and that specific non-default configurations are applied in ssh_config.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the server.

Reproduction

To reproduce this vulnerability, first ensure that OpenSSH is running a version prior to 10.3. Then, configure ssh_config to include a Match exec block that uses the %u token. Finally, execute the ssh command while passing a username that contains shell metacharacters. The injected commands will be executed on the server.

Remediation

Users are advised to update to OpenSSH version 10.3 or later, where this vulnerability has been addressed.

Added: Apr 2, 2026, 5:42 PM

Updated: Apr 2, 2026, 5:42 PM

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

7.5

exploitability

4.3

remediation

7.7

relevance

5.1

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

7.5

exploitability

4.3

remediation

7.7

relevance

5.1

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenSSH Command Injection Vulnerability via Shell Metacharacters in Usernames

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OpenSSH

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating