Path Traversal Vulnerability in AsyncSSH Python Package
CVE-2026-45309

8.2HIGH

Key Information:

Vendor

Ronf

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-45309?

The AsyncSSH Python package, which provides an asynchronous client and server implementation of the SSHv2 protocol, has a vulnerability that allows for path traversal attacks. Specifically, prior to version 2.23.0, the package improperly expands the AuthorizedKeysFile %u token during pre-authentication server configuration reload, enabling malicious users to potentially access unauthorized SSH key files. This occurs when the SSH username includes path traversal sequences (/, , or ..), allowing access to files outside the designated directory. The issue has been addressed and resolved in version 2.23.0.

Affected Version(s)

asyncssh < 2.23.0

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.