Path Traversal Vulnerability in AsyncSSH Python Package
CVE-2026-45309
8.2HIGH
What is CVE-2026-45309?
The AsyncSSH Python package, which provides an asynchronous client and server implementation of the SSHv2 protocol, has a vulnerability that allows for path traversal attacks. Specifically, prior to version 2.23.0, the package improperly expands the AuthorizedKeysFile %u token during pre-authentication server configuration reload, enabling malicious users to potentially access unauthorized SSH key files. This occurs when the SSH username includes path traversal sequences (/, , or ..), allowing access to files outside the designated directory. The issue has been addressed and resolved in version 2.23.0.
Affected Version(s)
asyncssh < 2.23.0
