OpenSSH versions 7.2p1 and below suffer from a command injection and /bin/false bypass vulnerability via xauth.