Tracked as CVE-2026-35414 (CVSS score of 8.1), the flaw is described as a mishandling of the authorized_keys principals option in certain scenarios involving certificate authorities (CA) that use comma characters.

According to Cyera, because of the bug, a comma in an SSH certificate principal name leads to OpenSSH access control bypass, allowing users to authenticate as root on a vulnerable server, as long as they have a valid certificate from a trusted CA.

Actually, you might be right, it was a better time. Perhaps we should just wait it out and see if a better time appears? 😄

No, it’s long past the time. I guess now is the next best time though.