CVE-2026-46595

Vulnerability

CVE-2026-46595 is a vulnerability in the Go standard library's crypto/ssh package. The fix for CVE-2024-45337 addressed an authorization bypass when using public key callbacks, but the fix was incomplete: if any other type of authentication callback is passed instead of a public key callback, the source-address validation is skipped entirely. This affects all versions of golang.org/x/crypto before the fix included in Go 1.24.1 and Go 1.23.7, and the crypto/ssh package in those Go versions [1][3].

Exploitation

An attacker needs to be able to initiate an SSH connection to a server that uses a non-public-key authentication callback (e.g., a custom callback or a certificate-based callback). The attacker can then bypass the server's source-address restrictions, which were intended to limit access to specific client IP addresses or ranges. No prior authentication or user interaction is required beyond the ability to make an SSH connection attempt [1][3].

Impact

Successful exploitation allows an attacker to circumvent SSH server source-address validation, potentially gaining unauthorized network access to services that rely on this restriction for security. The attacker does not need to authenticate, and the impact is a circumvention of access controls that could lead to further compromise [1][3].

Mitigation

The vulnerability is fixed in Go 1.24.1 and Go 1.23.7, released on 2026-05-22. Users should update to these versions or later. There is no workaround available for versions that do not contain the fix. The issue was reported privately and is tracked as Go issue 79570 [1][3].