A 15-year-old vulnerability in OpenSSH has been discovered that could allow attackers to gain full root shell access to servers by exploiting a simple comma in certificate principal names. The bug, tracked as CVE-2026-35414, works because OpenSSH mistakenly treats the comma as a list separator, turning a low-privilege identity into a root credential, and the attack doesn't trigger authentication failures in logs, making it nearly impossible to detect through normal monitoring. The flaw was patched in OpenSSH version 10.3 in early April, and security experts say organizations should update immediately.