critical · 10CVE-2026-46595Jun 25, 2026

CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Source-Address Authorization Bypass

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

golang.org/x/crypto/ssh < 0.52.0 skips source-address enforcement when VerifiedPublicKeyCallback is set, allowing auth from blocked IPs. CVSS 10.

Packagegolang.org/x/crypto/ssh
Ecosystemgo
Affected< 0.52.0
Fixed in0.52.0
CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Source-Address Authorization Bypass

The problem

Servers using VerifiedPublicKeyCallback (introduced as the fix surface for CVE-2024-45337) did not apply source-address restrictions during public-key authentication. An attacker connecting from an IP address that should be blocked by certificate source-address extensions can successfully authenticate, achieving complete authorization bypass (CWE-863, CVSS 10).

Proof of concept

go
// Attacker connects from a source IP not listed in the key's
// source-address restriction, targeting a server that sets ONLY
// VerifiedPublicKeyCallback (no PublicKeyCallback source-address check).
//
// Vulnerable server config (go < 0.52.0):
config := &ssh.ServerConfig{
    // PublicKeyCallback approves the key but never enforces source-address
    PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
        return &ssh.Permissions{}, nil // source-address NOT checked here
    },
    // VerifiedPublicKeyCallback is invoked post-signature; source-address
    // restriction in Permissions.Extensions is silently ignored here too
    VerifiedPublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey, perms *ssh.Permissions, algo string) (*ssh.Permissions, error) {
        return perms, nil // bypass: source-address extension never enforced
    },
}
// Attacker triggers auth from 10.0.0.99 (blocked address):
// ssh -i attacker_key -o "SourceAddress 10.0.0.99" user@target
// Result: authentication SUCCEEDS despite source-address restriction

CVE-2024-45337 introduced a source-address check, but it was only applied within the PublicKeyCallback code path. The VerifiedPublicKeyCallback path, called after signature verification to finalize permissions, never received the same source-address enforcement gate.

The patch in CL/781642 extends the source-address validation to also run when VerifiedPublicKeyCallback is invoked, ensuring that Permissions.Extensions source-address restrictions are enforced regardless of which callback handles final authorization. The root cause is CWE-863 (Incorrect Authorization): an incomplete fix where a new callback surface was added without propagating the existing authorization control.

The fix

Upgrade golang.org/x/crypto to v0.52.0 or later: `go get golang.org/x/crypto@v0.52.0`. The patch (go.dev/cl/781642) extends source-address enforcement to the VerifiedPublicKeyCallback path. No server-side config changes are needed after upgrading.

Reported by thatnealpatel (Google).

References: [1][2][3][4][5][6]