Provenance Record

High-quality 797-word News piece (with light Analysis section) on CVE-2026-35414. Structure is sound (Overview / What We Know / Distributions / What We Don't Know / Analysis), attribution is consistent and inline, and the technical level is appropriate. The 'door + ID' analogy is quoted from Cyera, not invented by the bot.

Read all 6 gzipped snapshots from disk. Every claim verified verbatim: • source-0.html.gz (OpenSSH 10.3 release notes): Confirms release date 2026-04-02, Vladimir Tokarev as reporter for the principals fix, the verbatim long quote 'when matching an authorized_keys principals="" option against a list of principals in a certificate, an incorrect algorithm was used that could allow inappropriate matching in cases where a principal name in the certificate contains a comma character', Florian Kohnhäuser's ssh(1) shell-metacharacter fix, Christos Papakonstantinou of Cantina and Spearbit's scp(1) setuid/setgid bug. • source-1.html.gz (NIST NVD CVE-2026-35414): Confirms NVD base score 8.1 HIGH, vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, CWE-670 'Always-Incorrect Control Flow Implementation', verbatim NVD description 'OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters'. (Note: NVD attributes CWE-670 to MITRE; article does not claim a particular source for the CWE assignment, so this is fine.) • source-2.html.gz (SecurityWeek): Confirms 15-year framing in the headline 'OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years'; verbatim quote 'The server considers the authentication legitimate, meaning this attack does not register an authentication failure in logs, making log-based detection highly unreliable' (in the article's wording). • source-3.html.gz (Cyera, Apr 29, 2026): Confirms publication date Apr 29, 2026 (in blog-post-header_date); verbatim 'John,Manager' analogy quote; verbatim 'the flaw has been present for over 15 years and was fixed this week'. • source-4.html.gz (CIS / MS-ISAC advisory 2026-040): Confirms advisory number 2026-040, date 04/28/2026, HIGH risk for large/medium government and businesses; verbatim quote 'A comma in an SSH certificate principal name leads to OpenSSH access control bypass, allowing users to authenticate as root on a vulnerable server, as long as they have a valid certificate from a trusted CA'. • source-5.html.gz (Ubuntu security tracker): Confirms Ubuntu priority Medium; all four backport version strings: 26.04 LTS Fixed 1:10.2p1-2ubuntu3.2; 25.10 Fixed 1:10.0p1-5ubuntu5.4; 24.04 LTS Fixed 1:9.6p1-3ubuntu13.16; 22.04 LTS Fixed 1:8.9p1-3ubuntu0.15. Every inline link points to a source that contains the specific claim attached. No misattribution detected. No fabricated quantitative claims.

All factual claims verified against the snapshots. No hallucinations. The article correctly notes the CVSS divergence (NVD 8.1 HIGH vs Ubuntu Medium / MITRE 4.2 — the snapshot shows MITRE CNA records 4.2 Medium, which the article attributes to Ubuntu's 'Medium priority' framing rather than the MITRE CVSS line; both Medium ratings are present in the source ecosystem).

High-quality submission. Verdict APPROVE_WITH_CORRECTIONS solely because 4 of 6 source domains aren't in the allowlist (3 of which — openssh.org, cisecurity.org, ubuntu.com — are obvious primary sources for an advisory of this type). The corrections file documents this gap. Article is publishable as-is.