cbcvebase.
CVE-2026-46595
published 2026-05-22

CVE-2026-46595: Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key…

PriorityP261critical10CVSS 3.1
AVNACLPRNUINSCCHIHAL
EPSS
0.44%
35.2th percentile
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected

51 ranges· showing 25
VendorProductVersion rangeFixed in
advanced-cluster-securityrhacs-main-rhel8
assistedagent-preinstall-image-builder-rhel9
buildah_projectbuildah
cert-managerjetstack-cert-manager-rhel9
complianceopenshift-security-profiles-rhel8-operator
confidential-containerstrustee
container-tools_rhel8buildah
container-tools_rhel8podman
cryostatcryostat-storage-rhel9
devspacestraefik-rhel9
devworkspacedevworkspace-rhel9-operator
external-secrets-operatorexternal-secrets-rhel9
go-toolset_rhel8golang
golang.orgx_crypto_ssh>= 0 < 0.52.00.52.0
golangcrypto< 0.52.00.52.0
kubernetescri-o
kubevirtkubevirt
multicluster-engineassisted-service-8-rhel8
multicluster-engineassisted-service-9-rhel9
multicluster-enginehypershift-addon-rhel9-operator
oadpoadp-velero-rhel9
odf4cephcsi-rhel9
odf4odf-multicluster-rhel9-operator
openshift-buildsopenshift-builds-waiters-rhel9
openshift-gitops-1argocd-rhel8

Detection & IOCsextracted from sources · hover to see the quote

  • SSH server authorization bypass: if any callback type other than public key is passed to the SSH server configuration, source-address validation is skipped entirely, allowing remote attackers to bypass source-address restrictions
  • Affected component is golang.org/x/crypto/ssh — audit all Go-based SSH server implementations using this package for non-public-key callback configurations
  • This is a regression/incomplete fix of CVE-2024-45337 — environments that applied the prior fix may still be vulnerable if non-public-key callbacks are in use
  • ·Vulnerability only manifests in SSH server configurations that use a callback type other than public key — standard public-key-only configurations are not affected by the bypass
  • ·Numerous Red Hat products are under investigation for impact, including buildah, podman, golang, cri-o, microshift, openshift, kubevirt, and many others — patch status is not yet confirmed for most
  • ·golang1.25 and golang1.26 packages in Red Hat Hardened Images are confirmed Affected

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
ghsa9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.