CRITICAL🇵🇱 Wersja polska

CVE-2026-46595

CVSS 10.0pub. 2026-05-22upd. 2026-07-01

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

🤖 AI Analysis
How it works

The vulnerability is related to an incomplete fix of the earlier CVE-2024-45337 vulnerability. If in the SSH server configuration a callback type other than a public key-based callback is passed instead of a public key-based callback, the source address validation mechanism is completely bypassed. This means that access restrictions based on IP address cease to be enforced, allowing an attacker to connect to the SSH server from any network address.

Impact

An attacker without any authentication and from any network location can bypass source address-based authorization control, gaining unauthorized access to resources of the protected SSH server. This may lead to complete breach of confidentiality and integrity of data processed by the server.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references (https://go.dev/cl/781642, https://pkg.go.dev/vuln/GO-2026-5023). Additionally, it is recommended to verify the SSH server configuration for correct application of public key-based callbacks.

Who is affected

Applications using the Golang Crypto library with a misconfigured SSH server in which callbacks other than public key-based ones are applied — specific versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
  • Golang Crypto

    APP
    Golang
    < 0.52.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-39832CRITICAL9.1PL ✓ten sam produkt

Golang Crypto: pominięcie ograniczeń przy przekazywaniu kluczy do zdalnego agenta SSH

CVE-2026-39833CRITICAL9.1PL ✓ten sam produkt

Golang Crypto: brak wymuszenia ograniczenia ConfirmBeforeUse w NewKeyring()

CVE-2026-39831CRITICAL9.1PL ✓ten sam produkt

Brak weryfikacji flagi User Presence w FIDO/U2F w Golang Crypto

CVE-2026-39830CRITICAL9.1PL ✓ten sam produkt

Golang Crypto: resource leak przez niezamawiane odpowiedzi SSH global request

CVE-2026-39834CRITICAL9.1PL ✓ten sam produkt

Integer overflow w Golang Crypto SSH — nieskończona pętla przy zapisie >4GB