PatchSiren cyber security CVE debrief
CVE-2026-45309 ronf CVE debrief
CVE-2026-45309 is a path traversal vulnerability in AsyncSSH, a Python package providing an asynchronous client and server implementation of the SSHv2 protocol. The vulnerability allows a server configured with AuthorizedKeysFile authorized_keys/%u to read an authorized-keys file outside the intended directory when the SSH username contains /, or .. path traversal segments and authenticate with an attacker-selected key file. This issue is fixed in version 2.23.0. Affected product deployments should be reviewed for exposure, and compensating controls should be considered while remediation is scheduled and verified.
- Vendor
- ronf
- Product
- asyncssh
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of AsyncSSH, especially those using version prior to 2.23.0, should be aware of this vulnerability and take steps to mitigate it. Affected operators, platforms, and security teams should review compensating controls and monitor SSH authentication attempts for suspicious activity.
Technical summary
The vulnerability is caused by the expansion of the OpenSSH-compatible AuthorizedKeysFile %u token in asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, and asyncssh/misc.py with the raw SSH username during pre-authentication server config reload. This allows an attacker to read an authorized-keys file outside the intended directory by including path traversal segments in the SSH username. The vulnerability has been fixed in version 2.23.0 of AsyncSSH.
Defensive priority
High
Recommended defensive actions
- Update AsyncSSH to version 2.23.0 or later
- Verify and restrict access to authorized-keys files
- Monitor SSH authentication attempts for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The vulnerability is fixed in version 2.23.0 of AsyncSSH. Users should update to this version or later to mitigate the vulnerability. Evidence limits suggest that AsyncSSH versions prior to 2.23.0 are potentially vulnerable. Defenders should verify affected product deployments and review official advisories for scope and severity. The vulnerability allows a server configured with AuthorizedKeysFile authorized_keys/%u to read an authorized-keys file outside the intended directory when the SSH username contains /, or .. path traversal segments and authenticate with an attacker-selected key file.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:14.333Z and has not been modified since then.