PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54591 ronf CVE debrief

CVE-2026-54591 is a high-severity vulnerability in the AsyncSSH Python package, allowing a malicious SSH server to write arbitrary files on the AsyncSSH SCP client's filesystem by sending filenames containing ../ traversal sequences. This issue is fixed in version 2.23.1. Affected users should update to prevent potential file writes on their systems. The vulnerability arises from the _parse_cd_args function in scp.py, which returns server-provided names verbatim, and the _recv_files function, which joins these names to the destination path without enforcing the target directory boundary.

Vendor
ronf
Product
asyncssh
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of AsyncSSH package versions prior to 2.23.1 should update to the latest version to prevent potential file writes on their systems. This includes operators managing affected deployments, platform administrators, vulnerability management teams, and security teams responsible for monitoring and incident response.

Technical summary

The AsyncSSH package, a Python implementation of the SSHv2 protocol, has a vulnerability that allows a malicious SSH server to write arbitrary files on the client's filesystem. This is achieved by sending filenames with ../ traversal sequences. The issue arises from the _parse_cd_args function in scp.py, which returns server-provided names verbatim, and the _recv_files function, which joins these names to the destination path without enforcing the target directory boundary. The vulnerability is fixed in version 2.23.1.

Defensive priority

High

Recommended defensive actions

  • Update AsyncSSH to version 2.23.1 or later
  • Restrict access to sensitive files and directories
  • Monitor for suspicious file writes
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T21:16:49.657Z and last modified on 2026-07-10T19:10:59.333Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify affected AsyncSSH versions and update to 2.23.1 or later. Limited source information may impact thoroughness of defensive actions.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:49.657Z and has not been modified since then. The NVD entry is currently Deferred.