PatchSiren cyber security CVE debrief
CVE-2026-54590 ronf CVE debrief
CVE-2026-54590 is a path traversal vulnerability in AsyncSSH, a Python package for asynchronous SSHv2 protocol implementation. The issue arises from an incomplete fix for CVE-2026-45309 in version 2.23.0, which fails to block leading ~ or ${ENV} in AuthorizedKeysFile, allowing path expansion. This vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. The issue has been fixed in version 2.23.1. Users of AsyncSSH version 2.23.0 should be aware of this path traversal vulnerability and take necessary actions.
- Vendor
- ronf
- Product
- asyncssh
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of AsyncSSH version 2.23.0, security teams, and operators managing SSH connections should be aware of this path traversal vulnerability. The issue has been fixed in version 2.23.1, and users should consider upgrading to the latest version. Additionally, users should review and restrict access to AuthorizedKeysFile and monitor for suspicious activity related to SSH connections.
Technical summary
The vulnerability exists due to an incomplete fix for CVE-2026-45309 in AsyncSSH version 2.23.0. The fix blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not account for leading ~ or ${ENV}, which can be expanded later via _expand_val and Path(filename).expanduser(). This could allow attackers to escape the intended authorized-keys directory. The issue has been addressed in version 2.23.1.
Defensive priority
Medium priority given the CVSS score of 5.9 and the availability of a fix in version 2.23.1.
Recommended defensive actions
- Upgrade to AsyncSSH version 2.23.1 or later
- Review and restrict access to AuthorizedKeysFile
- Monitor for suspicious activity related to SSH connections
- Verify affected product deployments exist in managed environments
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-08T21:16:49.523Z and last modified on 2026-07-10T16:16:32.953Z. The NVD entry is currently in the 'Received' status. The AsyncSSH package provides an asynchronous client and server implementation of the SSHv2 protocol. The issue arises from an incomplete fix for CVE-2026-45309 in version 2.23.0. Users should verify their deployments and apply the fix in version 2.23.1. The CVE details are based on the supplied source corpus and may have limitations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:49.523Z and has not been modified since then. The NVD entry is currently Received.