Protect.Computer
NEWS

OpenSSH 10.3 fixes security flaws, including SSH client command-injection risk

· 1 min read · Network safety Device safety
OpenSSH 10.3 fixes security flaws, including SSH client command-injection risk

Photo by Clément H on Unsplash

What happened

OpenSSH released version 10.3 on April 2, 2026 with multiple security fixes. One of the most important fixes addresses a scenario where attacker-controlled usernames could be expanded in specific SSH client configurations and potentially lead to arbitrary shell command execution.

The release also fixes additional issues affecting certificate principal matching, accepted ECDSA algorithm filtering in sshd, and legacy scp behavior around privilege bits.

Why this matters

OpenSSH is widely deployed on Linux, macOS, servers, developer workstations, and network infrastructure. Even when exploitation conditions are configuration-dependent, these flaws can become high impact in automated environments (jump hosts, scripts, CI/CD runners, and bastion workflows).

In short: if your environment relies on SSH heavily, delayed patching increases risk.

How to check if you’re affected

You are likely affected if you run OpenSSH versions earlier than 10.3.

  1. Check installed version

    • Linux/macOS: run ssh -V
    • Server side: verify package version for openssh-client and openssh-server

  2. Review SSH client config for risky token expansion paths

    • Inspect ~/.ssh/config and system SSH configs for complex Match exec usage and %u token-based logic.
    • If untrusted input can influence usernames or host arguments in automation, treat as elevated risk.

  3. Check SSH certificate and CA trust usage

    • If you use certificate-based auth with custom principals handling, re-validate policy behavior after updating.

  4. Patch and restart where needed

    • Upgrade to OpenSSH 10.3 (or vendor backport with equivalent fixes).
    • Restart SSH services according to your platform package guidance.

Immediate defensive actions

  • Prioritize updates on internet-facing bastions and shared admin hosts.
  • Avoid feeding untrusted values into SSH command lines in scripts.
  • Review and tighten certificate principal handling and accepted algorithms.
  • Audit legacy scp -O usage, especially in privileged automation paths.

Sources

Bottom line

If you run OpenSSH in production or automation-heavy environments, update to 10.3 quickly and review configs where user-controlled values could flow into SSH execution paths.

Related reading

News
Cisco IMC auth bypass (CVE-2026-20093) can let attackers take admin control

Cisco says a critical IMC flaw can let unauthenticated attackers bypass auth, reset passwords, and log in as admin on vulnerable UCS servers.

News
Oracle patches critical Identity Manager RCE (CVE-2026-21992)

Oracle issued an out-of-band fix for CVE-2026-21992, a critical unauthenticated RCE flaw in Identity Manager and Web Services Manager.

News
Over 14,000 F5 BIG-IP APM systems still exposed after active CVE-2025-53521 exploitation alerts

F5 BIG-IP APM CVE-2025-53521 is in CISA KEV and confirmed exploited; thousands of internet-facing systems remain exposed, making patch verification urgent.

News
OpenClaw patches unauthenticated Telegram webhook resource-exhaustion flaw (CVE-2026-32980)

OpenClaw fixed CVE-2026-32980 in version 2026.3.13, preventing unauthenticated Telegram webhook requests from forcing pre-auth body parsing and resource exhaustion.