Description
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.
Published: 2026-07-08
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AsyncSSH version 2.23.0 contains an incomplete fix that allows a user name substitution bypass in the AuthorizedKeysFile setting. The bug permits the use of a leading tilde (~) or an environment variable (${ENV}) to be expanded during SSH key file resolution, enabling an attacker to access files outside the intended authorized‑keys directory. The result is a Path Traversal (CWE-22) that also permits bypass of expected authentication controls (CWE-639).

Affected Systems

The vulnerability affects the AsyncSSH transport library provided by ronf (asyncssh). All installations of version 2.23.0 are impacted, while the issue is resolved in version 2.23.1 and later releases.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium impact. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, suggesting that active exploitation is not currently documented. An attacker capable of specifying a username, or who can influence the environment variables used by the SSH server, can craft a key file path that escapes the authorized‑keys directory. This could lead to unauthorized file access or execution of arbitrary commands with the privileges of the SSH session. The attack likely originates from an external SSH client that supplies a crafted username or environment, or from a local process that sets environment variables before launching the SSH server. Overall, the vulnerability represents a moderate risk awaiting exploitation confirmation, but it should be mitigated promptly to prevent potential future attacks.

Generated by OpenCVE AI on July 9, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade asyncssh to version 2.23.1 or later.
  • If an upgrade cannot be performed immediately, edit the SSH server configuration to remove user‑based substitution from the AuthorizedKeysFile setting, for example by specifying an absolute path and disabling ~ and ${ENV} expansions.
  • After reconfiguration, verify that path resolution for the key file cannot traverse outside the intended directory by testing with a variety of usernames and environment variable values.

Generated by OpenCVE AI on July 9, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.
Title AsyncSSH AuthorizedKeysFile username substitution bypass through ~ and environment expansion
Weaknesses CWE-22
CWE-639
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:36:45.258Z

Reserved: 2026-06-15T19:45:23.538Z

Link: CVE-2026-54590

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-639

    Authorization Bypass Through User-Controlled Key