🟠 High | Source: Microsoft Security Response Center
A vulnerability in OpenSSH versions before 10.3 (CVE-2026-35414) means the authorised_keys principals option is not handled correctly in certain edge cases where a principals list is combined with a Certificate Authority that uses comma characters in specific ways. This could allow unintended principals to authenticate, potentially granting unauthorised SSH access to affected systems. The issue is particularly relevant to cloud environments where certificate-based SSH authentication is used at scale.
Architect’s Take: Audit your SSH certificate infrastructure to identify any Certificate Authorities or authorised_keys configurations that use comma characters within principals lists, and prioritise upgrading OpenSSH to 10.3 or later across all Azure VMs and jump hosts. Consider enforcing certificate-based SSH access policies via Azure Policy to ensure patched versions are consistently deployed.