{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aopenbsdopenssh/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":4.8,"id":"CVE-2026-59998"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sshd in OpenSSH \u003c 10.4","Active Directory"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","openssh","gssapi","active-directory","windows","misconfiguration"],"_cs_type":"advisory","_cs_vendors":["OpenSSH","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-59998 identifies an undocumented security-relevant behavior in \u003ccode\u003esshd\u003c/code\u003e, the OpenSSH server daemon, affecting versions prior to 10.4. This vulnerability manifests when \u003ccode\u003esshd\u003c/code\u003e operates within a Windows Active Directory environment, specifically concerning the \u003ccode\u003eGSSAPIStrictAcceptorCheck\u003c/code\u003e configuration setting. In this scenario, the setting is rendered ineffective, meaning it \u0026quot;has no value.\u0026quot; This undocumented behavior could lead to an unexpected weakening of GSSAPI authentication strictness, potentially allowing for authentication bypasses or unintended access if the security posture relies on this particular check being enforced. The vulnerability was published on July 11, 2026, and impacts organizations using OpenSSH \u003ccode\u003esshd\u003c/code\u003e integrated with Active Directory for authentication. This is not an active exploit but a behavioral flaw that could be leveraged.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-59998 is a potential degradation of the intended security posture for OpenSSH servers integrated with Windows Active Directory via GSSAPI. If administrators have configured \u003ccode\u003eGSSAPIStrictAcceptorCheck\u003c/code\u003e expecting it to enforce stricter validation of GSSAPI credentials, this vulnerability means those checks are not being performed. This could allow an attacker to bypass specific GSSAPI security mechanisms, leading to unauthorized access or authentication with less stringent requirements than intended. While no specific incidents of exploitation or victim counts are available, the risk lies in the unexpected authentication behavior that could be exploited in specific Active Directory configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch OpenSSH deployments to version 10.4 or later to address the undocumented behavior identified in CVE-2026-59998.\u003c/li\u003e\n\u003cli\u003eReview and reassess the security configurations of OpenSSH servers utilizing GSSAPI authentication in Windows Active Directory environments, specifically understanding the implications of \u003ccode\u003eGSSAPIStrictAcceptorCheck\u003c/code\u003e's ineffectiveness as described in CVE-2026-59998.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T07:33:28Z","date_published":"2026-07-11T07:33:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openssh-sshd-gssapi-behavior/","summary":"CVE-2026-59998 describes an undocumented security-relevant behavior in sshd, a component of OpenSSH, specifically in versions prior to 10.4, where the GSSAPIStrictAcceptorCheck setting reportedly has no value when the server is operating within a Windows Active Directory environment.","title":"OpenSSH sshd GSSAPI Behavior Vulnerability CVE-2026-59998","url":"https://feed.craftedsignal.io/briefs/2026-07-openssh-sshd-gssapi-behavior/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}