CVE-2026-46595: CVE-2026-46595: Critical Authorization Bypass via source-address Validation Failure in golang.org/x/crypto/ssh

CVE-2026-46595: Critical Authorization Bypass via source-address Validation Failure in golang.org/x/crypto/ssh

Vulnerability ID: CVE-2026-46595
CVSS Score: 10.0
Published: 2026-06-25

An authorization bypass vulnerability exists in the golang.org/x/crypto/ssh package prior to version 0.52.0. When an SSH server is configured with a custom VerifiedPublicKeyCallback that returns a Permissions object containing a source-address critical option, the server fails to validate and enforce the restriction. This allows remote clients with valid public keys to bypass IP-based access restrictions and authenticate from unauthorized network locations.

TL;DR

The Go SSH server implementation fails to enforce 'source-address' restrictions returned by 'VerifiedPublicKeyCallback', allowing remote clients to bypass IP-based network access controls.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-863
• Attack Vector: Network
• CVSS v3.1 Score: 10.0
• EPSS Score: 0.00385
• Impact: Critical (Authorization Bypass / Unauthorized Access)
• Exploit Status: Proof-of-Concept
• KEV Status: Not Listed

Affected Systems

• Go SSH servers using golang.org/x/crypto/ssh with VerifiedPublicKeyCallback
• golang.org/x/crypto: < v0.52.0 (Fixed in: v0.52.0)

Code Analysis

Commit: 533fb3f

ssh: check source-address critical option in VerifiedPublicKeyCallback

diff --git a/ssh/server.go b/ssh/server.go
index dd1c327..0192a67 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -1050,7 +1057,14 @@ func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, err
                    perms, authErr = config.VerifiedPublicKeyCallback(s, pubKey, perms, algo)
                }
+               if authErr == nil && perms != nil && perms.CriticalOptions != nil {
+                   if saco := perms.CriticalOptions[sourceAddressCriticalOption]; saco != "" {
+                       if err := checkSourceAddress(s.RemoteAddr(), saco); err != nil {
+                           authErr = err
+                       }
+                   }
+               }

Mitigation Strategies

• Upgrade golang.org/x/crypto to version v0.52.0 or higher.
• Manually enforce remote address validation within the custom VerifiedPublicKeyCallback implementation.
• Move source-address authorization constraints entirely into the initial PublicKeyCallback handler.

Remediation Steps:

1. Open the terminal in your project directory.
2. Run 'go get golang.org/x/crypto@v0.52.0' to update the dependency.
3. Execute 'go mod tidy' to synchronize your module file.
4. Recompile the SSH server binary and redeploy it to your production environments.

References

• Go Issue Tracker #79570
• Go Vulnerability Database Advisory GO-2026-5023
• Gerrit Change List 781642
• Gerrit Review Details
• Official GitHub Mirror Commit

---

Read the full report for CVE-2026-46595 on our website for more details including interactive diagrams and full exploit analysis.