PatchSiren cyber security CVE debrief
CVE-2026-46595 golang.org/x/crypto CVE debrief
Published on 2026-05-22, CVE-2026-46595 describes an authorization-bypass issue in Go SSH server handling. The record says that when a callback other than public key authentication is used, source-address validation may be skipped. The description also frames this as a follow-on to CVE-2024-45337, indicating the earlier fix did not fully cover all callback paths.
- Vendor
- golang.org/x/crypto
- Product
- golang.org/x/crypto/ssh
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
Operators and developers running Go-based SSH servers, especially deployments that rely on source-address restrictions and custom authentication callbacks. Security teams reviewing authentication controls for internet-facing services should also pay attention.
Technical summary
The provided record indicates a logic gap in SSH server authorization flow: if the server uses a callback path other than public key authentication, the source-address validation step may not run. That can weaken an intended access-control boundary because address-based checks are not enforced consistently across all callback types. The issue appears related to an earlier authorization-bypass fix, suggesting incomplete coverage rather than a brand-new control.
Defensive priority
High for exposed Go SSH services that use source-address validation or custom auth callbacks; medium otherwise. Treat as higher priority if the service is reachable from untrusted networks or if address-based restrictions are part of the security model.
Recommended defensive actions
- Review SSH server configurations that use source-address validation together with non-public-key authentication callbacks.
- Check whether your Go dependency set includes the affected SSH server code path referenced by the Go advisory GO-2026-5023.
- Apply the vendor-provided fix or upgrade path referenced in the linked Go advisory and release announcement.
- Verify that authorization checks are enforced uniformly across all authentication callback types, not just public-key flows.
- Re-test any compensating controls or network allowlists that were assumed to be backed by SSH-layer source-address validation.
Evidence notes
This debrief is based only on the supplied CVE record, its NVD metadata, and the linked official Go references. The NVD record lists [email protected] references to a code change (go.dev/cl/781642), an issue tracker entry (go.dev/issue/79570), an announcement post, and pkg.go.dev/vuln/GO-2026-5023. No CVSS score, CPEs, or weakness identifiers were provided in the source corpus. Vendor attribution is low-confidence and should be treated cautiously; the only clear vendor signal in the supplied data is Go-related.
Official resources
Publicly disclosed through the CVE record and linked official Go security references. Timing context uses the supplied CVE published/modified timestamp of 2026-05-22T04:16:25.550Z; no other publication or review dates are treated as the CVE