SSHv2 Protocol Vulnerability in AsyncSSH Python Package
CVE-2026-54590
5.9MEDIUM
What is CVE-2026-54590?
A directory traversal vulnerability in version 2.23.0 of the AsyncSSH Python package allows unauthorized access to files outside the intended authorized-keys directory. The incomplete fix for a previous issue fails to adequately block certain characters, such as leading '~' or '${ENV}', during the expansion process, potentially compromising the security of SSH connections. This issue was addressed in version 2.23.1, which implements a more robust solution to prevent such unauthorized file access.
Affected Version(s)
asyncssh < 2.23.1
