CVE-2025-32728
Description
DisableForwarding in OpenSSH before 10.0 fails to actually disable X11 and agent forwarding as documented.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DisableForwarding in OpenSSH before 10.0 fails to actually disable X11 and agent forwarding as documented.
Vulnerability
In sshd in OpenSSH before version 10.0, the DisableForwarding configuration directive does not adhere to its documentation that states it disables X11 and agent forwarding. The server's session handling code in session.c does not check options.disable_forwarding when processing X11 forwarding requests (function session_setup_x11fwd) or agent forwarding requests (function session_auth_agent_req). As a result, setting DisableForwarding yes in sshd_config has no effect on these forwarding types. Affected are all OpenSSH versions prior to 10.0; the issue is fixed in OpenSSH 10.0 and in the OpenBSD 7.6 errata 013 patch [1][3][4].
Exploitation
An attacker who can authenticate to an affected OpenSSH server and then request X11 or agent forwarding (for example, via ssh -X or ssh -A, or through authentication agent forwarding) will be granted those forwarding capabilities even though the administrator has explicitly disabled them with DisableForwarding. The attacker needs valid SSH credentials and network access to the server. No additional race condition or user interaction beyond the normal SSH session establishment is required [1][4].
Impact
Successful exploitation allows an authenticated attacker to bypass the intended security policy of DisableForwarding, gaining the ability to forward X11 connections or the SSH authentication agent. This can lead to unauthorized access to the user's local X11 display (potentially leaking screen contents or keyboard input) or to the authentication agent (which could be used to authenticate as the user to other hosts). The impact is a breach of confidentiality and potentially further lateral movement within the network [1][4].
Mitigation
The vulnerability is fixed in OpenSSH 10.0, released on 2025-04-09 [1][3]. Administrators should upgrade to OpenSSH 10.0 or apply the corresponding patch for OpenBSD 7.6 (errata 013, also dated April 9, 2025) [4]. There is no known workaround besides applying the fix. Users unable to upgrade can consider blocking X11 and agent forwarding at the application or firewall layer, but this does not address the root cause.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
46- Range: <10.0
- osv-coords44 versionspkg:rpm/almalinux/opensshpkg:rpm/almalinux/openssh-askpasspkg:rpm/almalinux/openssh-clientspkg:rpm/almalinux/openssh-keycatpkg:rpm/almalinux/openssh-keysignpkg:rpm/almalinux/openssh-serverpkg:rpm/opensuse/openssh-askpass-gnome&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/openssh&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/openssh&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP7pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/openssh&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/openssh&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/openssh&distro=SUSE%20Manager%20Server%204.3
< 9.9p1-11.el10.alma.1+ 43 more
- (no CPE)range: < 9.9p1-11.el10.alma.1
- (no CPE)range: < 9.9p1-11.el10.alma.1
- (no CPE)range: < 9.9p1-11.el10.alma.1
- (no CPE)range: < 9.9p1-11.el10.alma.1
- (no CPE)range: < 9.9p1-11.el10.alma.1
- (no CPE)range: < 9.9p1-11.el10.alma.1
- (no CPE)range: < 9.6p1-150600.6.26.1
- (no CPE)range: < 9.6p1-150600.6.26.1
- (no CPE)range: < 10.0p2-2.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 9.6p1-150600.6.26.1
- (no CPE)range: < 9.6p1-150600.6.26.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 9.6p1-150600.6.26.1
- (no CPE)range: < 9.6p1-150600.6.26.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
- (no CPE)range: < 8.4p1-150300.3.49.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing check of the `disable_forwarding` flag in agent and X11 forwarding decision logic in session.c."
Attack vector
An attacker who can authenticate to the SSH server can request agent forwarding or X11 forwarding even when the administrator has set `DisableForwarding yes` in `sshd_config`. The server's forwarding checks omit the `disable_forwarding` flag, so the request is honored despite the configuration directive. This violates the documented behavior that `DisableForwarding` disables all forwarding types. [ref_id=1]
Affected code
The bug is in `session.c` in the functions `session_auth_agent_req` and `session_setup_x11fwd`. These functions check `options.allow_agent_forwarding` and `options.x11_forwarding` respectively, but they fail to also check `options.disable_forwarding`, so the `DisableForwarding` directive has no effect on agent or X11 forwarding. [ref_id=1] [ref_id=2]
What the fix does
The patch adds `|| options.disable_forwarding` to the condition in `session_auth_agent_req` and `session_setup_x11fwd`. Previously, only the per-option flags (`allow_agent_forwarding` and `x11_forwarding`) were checked, so setting `DisableForwarding` alone did not block forwarding. With the fix, if `disable_forwarding` is set, the functions return early and refuse the forwarding request, matching the documented behavior. [ref_id=1] [ref_id=2]
Preconditions
- configThe administrator must have set `DisableForwarding yes` in sshd_config
- authThe attacker must authenticate to the SSH server
- inputThe attacker must request agent forwarding or X11 forwarding
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sigmitre
- github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367mitre
- lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.htmlmitre
- www.openssh.com/txt/release-10.0mitre
- www.openssh.com/txt/release-7.4mitre
News mentions
1- Only a Handful of CVEs Mattered for Supply Chain in 2025GovInfoSecurity · May 19, 2026