SSHv2 Protocol Vulnerability in AsyncSSH Python Package
CVE-2026-54590

5.9MEDIUM

Key Information:

Vendor

Ronf

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54590?

A directory traversal vulnerability in version 2.23.0 of the AsyncSSH Python package allows unauthorized access to files outside the intended authorized-keys directory. The incomplete fix for a previous issue fails to adequately block certain characters, such as leading '~' or '${ENV}', during the expansion process, potentially compromising the security of SSH connections. This issue was addressed in version 2.23.1, which implements a more robust solution to prevent such unauthorized file access.

Affected Version(s)

asyncssh < 2.23.1

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.