CVE-2026-46595 Overview
CVE-2026-46595 is an authorization bypass vulnerability in the golang.org/x/crypto/ssh package. The flaw is a regression of [CVE-2024-45337], which previously addressed authorization bypass conditions in misused SSH server configurations. When an SSH server is configured with a callback type other than public key, the source-address validation logic is skipped. This allows unauthenticated remote attackers to bypass intended access restrictions enforced by the SSH server. The vulnerability is tracked by the Go security team as [GO-2026-5023] and is categorized under [CWE-863] (Incorrect Authorization).
Critical Impact
Remote attackers can bypass source-address restrictions on Go-based SSH servers without authentication, undermining a core access control mechanism.
Affected Products
- golang.org/x/crypto SSH package (all versions prior to the fix in CL 781642)
- Go applications that embed the golang.org/x/crypto/ssh library as an SSH server
- Third-party SSH server implementations built on the affected golang:crypto module
Discovery Timeline
- 2026-05-22 - CVE-2026-46595 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46595
Vulnerability Analysis
The vulnerability resides in the SSH server logic within the golang.org/x/crypto/ssh package. SSH server operators commonly enforce source-address restrictions tied to authorized keys, ensuring that a credential is only accepted from specific network locations. The earlier fix for [CVE-2024-45337] tightened these checks for public key authentication callbacks. However, the patch did not extend equivalent protection to other authentication callback types. When a server is configured with a non-public-key callback, the library skips source-address validation entirely. An attacker reaching the server from a network location that should be denied can complete authentication and gain access to the SSH session. The flaw is exploitable over the network without prior authentication or user interaction.
Root Cause
The root cause is an incomplete authorization check in the SSH server callback dispatch logic. Source-address validation is conditional on the callback type rather than uniformly enforced. As a result, configurations using password, keyboard-interactive, or other non-public-key callbacks bypass the address restriction code path. This is a classic [CWE-863] Incorrect Authorization condition.
Attack Vector
Exploitation requires a Go-based SSH server configured with a non-public-key authentication callback and source-address restrictions on its credentials. An attacker connects from a network location that should be blocked by the configured restriction. Because the validation is skipped, the server accepts the connection and proceeds with the authentication callback. Successful authentication grants the attacker access to a session that the policy was designed to deny. Detailed technical notes are available in Go.dev Issue #79570 and the Golang Announce post.
Detection Methods for CVE-2026-46595
Indicators of Compromise
- Successful SSH authentication events originating from source IPs that fall outside configured allow-lists for the corresponding account or key.
- SSH server logs showing authenticated sessions for accounts that should be restricted to specific subnets or jump hosts.
- Unexpected sessions to Go-based SSH services (Gerrit, Gitea, Drone, Teleport components, custom bastions) from previously unseen networks.
Detection Strategies
- Inventory all Go applications and confirm whether they import golang.org/x/crypto/ssh and act as SSH servers. Use go list -m all or SBOM tooling to identify affected versions.
- Compare authenticated SSH session source addresses against the source-address policies configured in the application; flag any mismatch.
- Review SSH server configuration to identify the use of PasswordCallback, KeyboardInteractiveCallback, or other non-public-key callbacks where source restrictions are expected.
Monitoring Recommendations
- Forward SSH server authentication logs to a centralized analytics platform and alert on successful authentications from IP ranges outside expected geographies or CIDR blocks.
- Monitor outbound process behavior of SSH server hosts for post-authentication actions inconsistent with the authenticated user role.
- Track upgrades of the golang.org/x/crypto module across the software supply chain to ensure remediated builds are deployed.
How to Mitigate CVE-2026-46595
Immediate Actions Required
- Upgrade golang.org/x/crypto to the fixed version referenced in GO-2026-5023 and rebuild all dependent binaries.
- Audit SSH server code paths for use of non-public-key callbacks and verify that source-address checks are performed in application logic until patched binaries are deployed.
- Restrict network exposure of affected SSH services using firewall or security group rules that enforce the intended source-address policy at the network layer.
Patch Information
The fix is delivered through Go change list CL 781642, referenced from issue #79570. Consumers of golang.org/x/crypto must update the module to the patched release and rebuild. Vendor guidance is published at the Go.dev Vulnerability Database entry GO-2026-5023 and announced via the golang-announce mailing list.
Workarounds
- Switch SSH server authentication to public-key callbacks where source-address validation is enforced, until the patched module is in production.
- Implement source-address validation in the application callback itself by inspecting ssh.ConnMetadata.RemoteAddr() and rejecting connections from disallowed networks.
- Enforce network-layer access controls (firewalls, security groups, VPN-only access) that replicate the source-address policy independent of the SSH library.
# Update golang.org/x/crypto to the patched release and rebuild
go get golang.org/x/crypto@latest
go mod tidy
go build ./...
# Verify no vulnerable versions remain
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

