PatchSiren cyber security CVE debrief

CVE-2026-46705 Eugeny CVE debrief

A vulnerability was discovered in the Russh Rust SSH client & server library, affecting versions from 0.34.0-beta.1 to before 0.61.0. The issue arises from the Russh server authentication path keeping internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without properly separating that state when the request principal changes. This internal library state mismatch can lead to unintended behavior in later authentication requests for different users or services.

Vendor: Eugeny
Product: russh
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-11
Advisory published: 2026-06-10
Advisory updated: 2026-06-11

Who should care

Developers and administrators using the Russh library for SSH functionality in their applications should be aware of this vulnerability. Specifically, those who have not upgraded to version 0.61.0 or later are at risk.

Technical summary

The Russh library fails to reset internal authentication state when the user or service name changes between authentication requests. This can cause issues as the authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and influence later requests for different users or services.

Defensive priority

MEDIUM

Recommended defensive actions

Upgrade to Russh version 0.61.0 or later to patch the vulnerability.
Review and update any applications or services using the affected versions of the Russh library.

Evidence notes

The vulnerability has been patched in version 0.61.0 of the Russh library. For more information, refer to the official CVE record [cve-org] and the NVD detail page [nvd]. Additional details can be found in the security advisory [ref-4].

Official resources

CVE-2026-46705 was published on 2026-06-10T22:17:00.713Z and modified on 2026-06-11T16:16:23.823Z.