CVE-2026-46705 - Vulnerability Details

Description

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0.

Published: 2026-06-10

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when the russh server library fails to reset user authentication state between successive SSH authentication requests when the principal changes. This allows residual authentication state—such as remaining methods or partial‑success flags—to carry over to a subsequent request for a different user or service, potentially enabling an attacker to bypass authentication checks or gain unauthorized access. The weakness arises from improper state separation during authentication and is classified as an authentication bypass (CWE‑287).

Affected Systems

Affected systems are those that host an SSH server implemented with the russh Rust SSH library, specifically versions from 0.34.0-beta.1 up to, but not including, 0.61.0. Custom servers or services embedding this library are impacted; the defect is absent in russh 0.61.0 and later.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while EPSS is not available and the issue is not listed in the CISA KEV catalog, suggesting no public exploitation yet. The attack vector is remote network access via the SSH protocol; an attacker would need to perform a sequence of authentication attempts with changing principals to exploit the retained state. Although code execution is not granted, unauthorized logins could lead to privilege escalation if used in concert with other vulnerabilities.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Eugeny

russh

affected

Version	Status	Constraints
`>= 0.34.0-beta.1, < 0.61.0`	affected	—

No data.

Vendor Product Confidence Versions

Eugeny

Russh

100%

Version	Status	Scheme	Platform
`[0.34.0-beta.1,0.61.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the russh library to version 0.61.0 or later where the issue is resolved.
Rebuild any custom SSH server components that depend on older russh versions using the patched library.
Restart or reload all services that use russh after upgrading to ensure a fresh authentication state.

Generated by OpenCVE AI on June 10, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hpv4-5h6f-wqr3	russh server userauth state is not reset when authentication principal changes

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Eugeny/russh/security/advisories/GHSA-hpv4-5h6f-wqr3

History

Thu, 11 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eugeny Eugeny russh
Vendors & Products		Eugeny Eugeny russh

Wed, 10 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0.
Title		russh server userauth state is not reset when authentication principal changes
Weaknesses		CWE-287
References		https://github.com/Eugeny/russh/security/advisories/GHSA-hpv4-5h6f-wqr3
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Eugeny Russh

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T20:21:35.177Z

Updated: 2026-06-10T20:22:20.209Z

Reserved: 2026-05-15T23:26:58.309Z

Link: CVE-2026-46705

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T22:17:00.713

Modified: 2026-06-10T22:17:00.713

Link: CVE-2026-46705

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T01:30:36Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object