All vulnerabilities
CVE-2026-46595
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Description
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
10
Severity
Critical
Ecosystem
GO
Publish Date
June 25, 2026
Modified Date
June 25, 2026
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Affected Versions
