CVE-2026-35414 and CVE-2026-35385 were published on April 2 2026.

CVE-2026-35414 description: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

CVE-2026-35385 description: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

CAS software 3.2.X

Even though CAS software 3.2.X is using OpenSSH version prior to 10.3, none of these vulnerabilities impacts CAS software 3.2.X.