CVE-2026-46595
published 2026-05-22CVE-2026-46595: Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key…
PriorityP261critical10CVSS 3.1
AVNACLPRNUINSCCHIHAL
EPSS
0.44%
35.2th percentile
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
Affected
51 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-security-profiles-rhel8-operator | — | — |
| confidential-containers | trustee | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | podman | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| devspaces | traefik-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| external-secrets-operator | external-secrets-rhel9 | — | — |
| go-toolset_rhel8 | golang | — | — |
| golang.org | x_crypto_ssh | >= 0 < 0.52.0 | 0.52.0 |
| golang | crypto | < 0.52.0 | 0.52.0 |
| kubernetes | cri-o | — | — |
| kubevirt | kubevirt | — | — |
| multicluster-engine | assisted-service-8-rhel8 | — | — |
| multicluster-engine | assisted-service-9-rhel9 | — | — |
| multicluster-engine | hypershift-addon-rhel9-operator | — | — |
| oadp | oadp-velero-rhel9 | — | — |
| odf4 | cephcsi-rhel9 | — | — |
| odf4 | odf-multicluster-rhel9-operator | — | — |
| openshift-builds | openshift-builds-waiters-rhel9 | — | — |
| openshift-gitops-1 | argocd-rhel8 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →SSH server authorization bypass: if any callback type other than public key is passed to the SSH server configuration, source-address validation is skipped entirely, allowing remote attackers to bypass source-address restrictions ↗
- →Affected component is golang.org/x/crypto/ssh — audit all Go-based SSH server implementations using this package for non-public-key callback configurations ↗
- →This is a regression/incomplete fix of CVE-2024-45337 — environments that applied the prior fix may still be vulnerable if non-public-key callbacks are in use ↗
- ·Vulnerability only manifests in SSH server configurations that use a callback type other than public key — standard public-key-only configurations are not affected by the bypass ↗
- ·Numerous Red Hat products are under investigation for impact, including buildah, podman, golang, cri-o, microshift, openshift, kubevirt, and many others — patch status is not yet confirmed for most ↗
- ·golang1.25 and golang1.26 packages in Red Hat Hardened Images are confirmed Affected ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
ghsa9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
ghsa·2026-06-25·CVSS 9.1
CVE-2026-46595 [CRITICAL] CWE-863 golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
Ubuntu
Google Guest Agent vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 9.1
CVE-2026-39831 [CRITICAL] Google Guest Agent vulnerabilities
Title: Google Guest Agent vulnerabilities
Summary: Several security issues were fixed in Google Guest Agent.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in Google
Guest Agent.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04
LTS, and Ubuntu 26.04
Ubuntu
LXD vulnerabilities
vendor_ubuntu·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] LXD vulnerabilities
Title: LXD vulnerabilities
Summary: Several security issues were fixed in LXD.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in LXD for
CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, and CVE-2026-42508.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 2
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
vendor_redhat·2026-05-22·CVSS 9.1
CVE-2026-46595 [CRITICAL] CWE-303 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
A flaw was found in the `golang.org/x/crypto/ssh` component. This vulnerability allows a remote attacker to bypass source-address validation in certain SSH server configurations. By providing a callback type other than a public key, an attacker can circumvent security checks, potentially leading to unauthorized access.
Package: assisted/agent-preinstall-image-builder-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Under investigation
Package: o
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-46595 golang: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation [fedora-all]
bugzilla·2026-06-10·CVSS 10.0
CVE-2026-46595 [CRITICAL] CVE-2026-46595 golang: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation [fedora-all]
CVE-2026-46595 golang: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
bugzilla·2026-05-22·CVSS 9.1
CVE-2026-46595 [CRITICAL] CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
https://go.dev/cl/781642https://go.dev/issue/79570https://groups.google.com/g/golang-announce/c/a082jnz-LvIhttps://pkg.go.dev/vuln/GO-2026-5023https://access.redhat.com/errata/RHSA-2026:23262https://access.redhat.com/errata/RHSA-2026:23264https://access.redhat.com/errata/RHSA-2026:26546https://access.redhat.com/errata/RHSA-2026:26547https://access.redhat.com/errata/RHSA-2026:30650https://access.redhat.com/errata/RHSA-2026:30651https://access.redhat.com/security/cve/CVE-2026-46595https://bugzilla.redhat.com/show_bug.cgi?id=2480689https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46595.json
2026-05-22
Published