Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-59995 (GCVE-0-2026-59995)
Vulnerability from cvelistv5 – Published: 2026-07-08 00:04 – Updated: 2026-07-08 12:52- CWE-23 - Relative Path Traversal
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59995",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:52:29.053569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:52:35.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T00:04:49.995Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-59995",
"datePublished": "2026-07-08T00:04:49.995Z",
"dateReserved": "2026-07-08T00:04:49.591Z",
"dateUpdated": "2026-07-08T12:52:35.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-59995",
"date": "2026-07-10",
"epss": "0.00218",
"percentile": "0.12185"
},
"microsoft_vex": {
"current_release_date": "2026-07-09T01:01:28.000Z",
"cve": "CVE-2026-59995",
"id": "msrc_CVE-2026-59995",
"initial_release_date": "2026-07-02T00:00:00.000Z",
"product_status:known_affected": "1",
"source": "Microsoft CSAF VEX",
"status": "final",
"title": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-59995.json",
"version": "1"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-59995\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2026-07-08T01:16:28.390\",\"lastModified\":\"2026-07-09T17:14:47.550\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \\\"sftp server:/path .\\\" is used with an attacker-controlled server.\"}],\"affected\":[{\"source\":\"cve@mitre.org\",\"affectedData\":[{\"vendor\":\"OpenBSD\",\"product\":\"OpenSSH\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"10.4\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-08T12:52:29.053569Z\",\"id\":\"CVE-2026-59995\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.4\",\"matchCriteriaId\":\"947E3B1E-F0DF-47BC-87D8-358B55B164AD\"}]}]}],\"references\":[{\"url\":\"https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.openssh.org/releasenotes.html#10.4p1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2026/07/06/5\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-09T18:01:51+00:00",
"cve": "CVE-2026-59995",
"id": "CVE-2026-59995",
"initial_release_date": "2026-07-08T00:04:49.995000+00:00",
"product_status:fixed": "3",
"product_status:known_affected": "41",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "openssh: OpenSSH: sftp client allows attacker to control downloaded file location",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-59995.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-59995\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-08T12:52:29.053569Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-08T12:52:31.698Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OpenBSD\", \"product\": \"OpenSSH\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"10.4\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.openwall.com/lists/oss-security/2026/07/06/5\"}, {\"url\": \"https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2\"}, {\"url\": \"https://www.openssh.org/releasenotes.html#10.4p1\"}], \"x_generator\": {\"engine\": \"CVE-Request-form 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \\\"sftp server:/path .\\\" is used with an attacker-controlled server.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23 Relative Path Traversal\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"10.4\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-07-08T00:04:49.995Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-59995\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-08T12:52:35.500Z\", \"dateReserved\": \"2026-07-08T00:04:49.591Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2026-07-08T00:04:49.995Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-59995
Vulnerability from fkie_nvd - Published: 2026-07-08 01:16 - Updated: 2026-07-09 17:145.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://marc.info/?l=openssh-unix-dev&m=178333966933090&w=2 | Release Notes | |
| cve@mitre.org | https://www.openssh.org/releasenotes.html#10.4p1 | Release Notes | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2026/07/06/5 | Mailing List, Release Notes |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"source": "cve@mitre.org"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "947E3B1E-F0DF-47BC-87D8-358B55B164AD",
"versionEndExcluding": "10.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server."
}
],
"id": "CVE-2026-59995",
"lastModified": "2026-07-09T17:14:47.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-59995",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:52:29.053569Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-07-08T01:16:28.390",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
GHSA-2PRH-86CW-FM96
Vulnerability from github – Published: 2026-07-08 03:30 – Updated: 2026-07-08 03:30sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
{
"affected": [],
"aliases": [
"CVE-2026-59995"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T01:16:28Z",
"severity": "MODERATE"
},
"details": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
"id": "GHSA-2prh-86cw-fm96",
"modified": "2026-07-08T03:30:27Z",
"published": "2026-07-08T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59995"
},
{
"type": "WEB",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"type": "WEB",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
MSRC_CVE-2026-59995
Vulnerability from csaf_microsoft - Published: 2026-07-02 00:00 - Updated: 2026-07-09 01:01| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-1 | — |
None Available
|
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-59995 sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-59995.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
"tracking": {
"current_release_date": "2026-07-09T01:01:28.000Z",
"generator": {
"date": "2026-07-09T07:36:40.073Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-59995",
"initial_release_date": "2026-07-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-07-09T01:01:28.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "azl3 openssh 0:9.8p1-8.azl3",
"product": {
"name": "azl3 openssh 0:9.8p1-8.azl3",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "openssh"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 openssh 0:9.8p1-8.azl3 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-59995",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"known_affected": [
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-59995 sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-59995.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2026-07-09T01:01:28.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 4.2,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"17084-1"
]
}
],
"title": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server."
}
]
}
RHSA-2026:37382
Vulnerability from csaf_redhat - Published: 2026-07-09 14:40 - Updated: 2026-07-09 17:43A flaw was found in OpenSSH. The `sftp` client, when used to download files from a malicious server with the 'sftp server:/path .' command, does not properly restrict where those files are saved. This allows an attacker to control the download location, potentially overwriting existing files or placing malicious files in sensitive directories on the client system, which could compromise system integrity.
A flaw was found in OpenSSH. The internal-sftp component within sshd incorrectly processes command-line arguments, recognizing only the first nine. This limitation can prevent the application of intended security configurations for SFTP (SSH File Transfer Protocol) connections, potentially leading to a bypass of security properties.
A flaw was found in OpenSSH. The sshd component has an undocumented security-relevant behavior where GSSAPIStrictAcceptorCheck has no value when the server is in a Windows Active Directory environment. This could lead to unintended information disclosure and impact data integrity.
A flaw was found in `sshd`, the OpenSSH server daemon. When `DisableForwarding=yes` is configured to prevent network traffic forwarding, it incorrectly fails to take precedence over `PermitTunnel=yes`. This allows a remote attacker to bypass intended security restrictions and establish a tunnel, potentially leading to unauthorized network access or circumvention of security policies, even when forwarding is explicitly disabled.
A flaw was found in OpenSSH's Secure Shell Daemon (sshd). This vulnerability allows a remote attacker to cause a denial of service by initiating an excessive number of authentication attempts. The issue arises from the mishandling of the MaxAuthTries setting specifically when using GSSAPIAuthentication, leading to resource exhaustion.
A flaw was found in OpenSSH's SSH daemon (sshd). A remote attacker could exploit this vulnerability by repeatedly attempting authentication. The flaw allows the attacker to bypass the intended minimum authentication delay, which can facilitate brute-force attacks. This makes it easier for an attacker to guess valid credentials, potentially leading to unauthorized access or a denial of service.
A flaw was found in OpenSSH. A remote attacker could exploit a use-after-free vulnerability on the client side when a server changes its host key during a key re-exchange. This could lead to high impact on confidentiality and integrity, and low impact on availability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:openssh-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:openssh-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:openssh-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nopenssh:\n * openssh-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-askpass-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-clients-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-keycat-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-keysign-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-server-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-sk-dummy-10.4p1-1.hum1 (aarch64, x86_64)\n * openssh-10.4p1-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:37382",
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59996",
"url": "https://access.redhat.com/security/cve/CVE-2026-59996"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59998",
"url": "https://access.redhat.com/security/cve/CVE-2026-59998"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-60001",
"url": "https://access.redhat.com/security/cve/CVE-2026-60001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-60002",
"url": "https://access.redhat.com/security/cve/CVE-2026-60002"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59995",
"url": "https://access.redhat.com/security/cve/CVE-2026-59995"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59999",
"url": "https://access.redhat.com/security/cve/CVE-2026-59999"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59997",
"url": "https://access.redhat.com/security/cve/CVE-2026-59997"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-60000",
"url": "https://access.redhat.com/security/cve/CVE-2026-60000"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_37382.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-09T17:43:13+00:00",
"generator": {
"date": "2026-07-09T17:43:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:37382",
"initial_release_date": "2026-07-09T14:40:15+00:00",
"revision_history": [
{
"date": "2026-07-09T14:40:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-09T16:39:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T17:43:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "openssh-main@aarch64",
"product": {
"name": "openssh-main@aarch64",
"product_id": "openssh-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openssh@10.4p1-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "openssh-main@src",
"product": {
"name": "openssh-main@src",
"product_id": "openssh-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openssh@10.4p1-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openssh-main@x86_64",
"product": {
"name": "openssh-main@x86_64",
"product_id": "openssh-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openssh@10.4p1-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openssh-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:openssh-main@aarch64"
},
"product_reference": "openssh-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openssh-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:openssh-main@src"
},
"product_reference": "openssh-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openssh-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:openssh-main@x86_64"
},
"product_reference": "openssh-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-59995",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-07-08T01:01:01.518880+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497927"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. The `sftp` client, when used to download files from a malicious server with the \u0027sftp server:/path .\u0027 command, does not properly restrict where those files are saved. This allows an attacker to control the download location, potentially overwriting existing files or placing malicious files in sensitive directories on the client system, which could compromise system integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: sftp client allows attacker to control downloaded file location",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59995"
},
{
"category": "external",
"summary": "RHBZ#2497927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497927"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59995",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59995"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59995",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59995"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:04:49.995000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openssh: OpenSSH: sftp client allows attacker to control downloaded file location"
},
{
"cve": "CVE-2026-59997",
"cwe": {
"id": "CWE-88",
"name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
},
"discovery_date": "2026-07-08T01:01:08.930287+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. The internal-sftp component within sshd incorrectly processes command-line arguments, recognizing only the first nine. This limitation can prevent the application of intended security configurations for SFTP (SSH File Transfer Protocol) connections, potentially leading to a bypass of security properties.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: SFTP security bypass due to command-line argument parsing flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59997"
},
{
"category": "external",
"summary": "RHBZ#2497929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59997",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59997"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59997",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59997"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:09:04.920000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH: SFTP security bypass due to command-line argument parsing flaw"
},
{
"cve": "CVE-2026-59998",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"discovery_date": "2026-07-08T01:01:30.478799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497935"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. The sshd component has an undocumented security-relevant behavior where GSSAPIStrictAcceptorCheck has no value when the server is in a Windows Active Directory environment. This could lead to unintended information disclosure and impact data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: Undocumented GSSAPIStrictAcceptorCheck behavior impacts security in Windows Active Directory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59998"
},
{
"category": "external",
"summary": "RHBZ#2497935",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497935"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59998",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59998"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59998",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59998"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:11:05.183000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH: Undocumented GSSAPIStrictAcceptorCheck behavior impacts security in Windows Active Directory"
},
{
"cve": "CVE-2026-59999",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2026-07-08T01:01:55.619428+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in `sshd`, the OpenSSH server daemon. When `DisableForwarding=yes` is configured to prevent network traffic forwarding, it incorrectly fails to take precedence over `PermitTunnel=yes`. This allows a remote attacker to bypass intended security restrictions and establish a tunnel, potentially leading to unauthorized network access or circumvention of security policies, even when forwarding is explicitly disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH sshd: Security bypass due to incorrect handling of forwarding and tunneling options",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59999"
},
{
"category": "external",
"summary": "RHBZ#2497942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59999",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59999"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:13:08.397000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH sshd: Security bypass due to incorrect handling of forwarding and tunneling options"
},
{
"cve": "CVE-2026-60000",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"discovery_date": "2026-07-08T01:02:09.730221+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH\u0027s Secure Shell Daemon (sshd). This vulnerability allows a remote attacker to cause a denial of service by initiating an excessive number of authentication attempts. The issue arises from the mishandling of the MaxAuthTries setting specifically when using GSSAPIAuthentication, leading to resource exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: Denial of Service via excessive GSSAPI authentication attempts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-60000"
},
{
"category": "external",
"summary": "RHBZ#2497946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-60000",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-60000"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-60000",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60000"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:14:31.230000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH: Denial of Service via excessive GSSAPI authentication attempts"
},
{
"cve": "CVE-2026-60001",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"discovery_date": "2026-07-08T01:01:40.680574+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH\u0027s SSH daemon (sshd). A remote attacker could exploit this vulnerability by repeatedly attempting authentication. The flaw allows the attacker to bypass the intended minimum authentication delay, which can facilitate brute-force attacks. This makes it easier for an attacker to guess valid credentials, potentially leading to unauthorized access or a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: Brute-force attacks facilitated due to insufficient authentication delay",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-60001"
},
{
"category": "external",
"summary": "RHBZ#2497938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-60001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-60001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-60001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60001"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:16:15.497000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH: Brute-force attacks facilitated due to insufficient authentication delay"
},
{
"cve": "CVE-2026-60002",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2026-07-08T01:01:33.808610+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2497936"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. A remote attacker could exploit a use-after-free vulnerability on the client side when a server changes its host key during a key re-exchange. This could lead to high impact on confidentiality and integrity, and low impact on availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: Use-after-free vulnerability during host key re-exchange on the client side",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in OpenSSH client could allow a malicious SSH server to execute arbitrary code on the connecting client due to a use-after-free vulnerability during host key re-exchange. While requiring a connection to a specially crafted server, the potential for high impact on client confidentiality and integrity elevates the severity beyond Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-60002"
},
{
"category": "external",
"summary": "RHBZ#2497936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497936"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-60002",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-60002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-60002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60002"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.org/releasenotes.html#10.4p1",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/07/06/5",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"release_date": "2026-07-08T00:17:33.058000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T14:40:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37382"
},
{
"category": "workaround",
"details": "To mitigate this issue, OpenSSH clients should only connect to trusted SSH servers. Enforcing strict host key checking and carefully managing `known_hosts` files can help prevent connections to servers with unexpected or altered host keys, thereby reducing exposure to this client-side vulnerability.",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openssh: OpenSSH: Use-after-free vulnerability during host key re-exchange on the client side"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.