CVE-2026-46595 - Go x/crypto ssh VerifiedPublicKeyCallback auth bypass
golang.org/x/crypto/ssh before 0.52.0 can skip source-address validation
when server configurations combine VerifiedPublicKeyCallback with other
callback types incorrectly. The result is an authorization bypass in custom SSH
server policy that assumes prior hardening from CVE-2024-45337 is still in
effect.
The vulnerable shape is not every Go SSH server. It is custom callback wiring that depends on the library to enforce source-address or permission checks.
When to use it
Use this recipe when a Go repository embeds a custom SSH server using
golang.org/x/crypto/ssh, especially when authentication combines
VerifiedPublicKeyCallback, PublicKeyCallback, source-address restrictions,
or permission metadata. It is for authorization review around callback wiring,
not for generic SSH client dependency bumps.
Use it when an agent needs to prove that SSH server policy is explicit in application code and still holds after upgrading the module.
Inputs
- Go modules,
go.sum, vendored dependencies, binary/image manifests, SBOMs, and generated dependency reports that may resolvegolang.org/x/crypto/ssh. ssh.ServerConfigconstruction sites, callback functions, authorized key loaders, principal mapping, source-address policy, and permission checks.- Inventory of custom SSH server paths: bastion, Git/SCM, SFTP, automation, admin shell, device management, CI, or agent-accessible endpoints.
- Test fixtures for keys, principals, source addresses, and denied combinations, using synthetic data rather than production keys or logs.
- Deployment/render commands that prove updated binaries and containers no longer carry the vulnerable module.
Affected versions
- Vulnerable:
golang.org/x/crypto/ssh <0.52.0 - Fixed:
0.52.0+ - Affected surface: custom SSH server auth callback configuration
Indicator-of-exposure
- The repository resolves
golang.org/x/crypto/ssh <0.52.0. - Code sets
VerifiedPublicKeyCallbackor mixes multiple SSH auth callbacks. - Server policy relies on library-enforced source-address or permission checks.
Quick checks:
rg -n "VerifiedPublicKeyCallback|PublicKeyCallback|Permissions|ServerConfig|source-address" .
go list -m all | rg "golang.org/x/crypto"
Windows:
rg -n "VerifiedPublicKeyCallback|PublicKeyCallback|Permissions|ServerConfig|source-address" .
go list -m all | rg "golang.org/x/crypto"
Remediation strategy
- Upgrade
golang.org/x/cryptoto0.52.0+. - Audit every SSH server callback combination for implicit authorization assumptions.
- Enforce explicit source-address and permission validation in application code where policy is security-critical.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-46595 / GHSA-x527-x647-q7gg in Go SSH server code.
Misused callback combinations can skip source-address validation. Produce
exactly one output:
- A reviewer-ready PR/change request that upgrades `golang.org/x/crypto`,
audits callback wiring, adds regression tests, and documents operator
follow-up, or
- TRIAGE.md if this repository does not control an affected SSH server path.
## Rules
- Scope only CVE-2026-46595 and directly related SSH server authorization.
- Treat keys, authorized-principal data, source-address rules, and audit logs
as sensitive.
- Do not expose a live SSH service for exploit testing.
- Do not auto-merge.
## Steps
1. Inventory every Go module, image, and binary controlled here that embeds
`golang.org/x/crypto/ssh`.
2. Confirm whether any resolved version is `<0.52.0`.
3. Trace `ServerConfig` auth callback wiring and policy checks.
4. If no affected SSH server path is controlled here, stop with `TRIAGE.md`.
5. Upgrade to `0.52.0+` and refresh module metadata, vendoring, and images.
6. Make authorization checks explicit when source-address or permission policy
matters.
7. Add regression tests proving unauthorized callback combinations cannot bypass
source-address restrictions.
8. Add a PR body section named `CVE-2026-46595 operator actions` covering
versions before and after, server paths audited, and validation that passed.
9. Run available validation: `go test`, builds, deployment render, and
dependency/security scans.
10. Use PR title:
`fix(sec): remediate Go SSH callback authorization bypass`.
Verification - what the reviewer looks for
- No controlled binary resolves
golang.org/x/crypto/ssh <0.52.0. - SSH server authorization does not depend on the old callback behavior.
- Regression tests cover source-address enforcement.
Watch for
- Updating
go.modbut leaving vendored or containerized older copies. - Assuming callback defaults enforce policy that should live in application code.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades
golang.org/x/cryptoto0.52.0+, audits every custom SSH server callback combination, makes source-address and permission checks explicit where required, refreshes generated artifacts, and adds safe regression coverage. TRIAGE.mdwhen no controlled custom SSH server path or affected deployable artifact exists.
The output must list resolved versions before/after, server paths audited, callback combinations, authorization assumptions removed or retained, validation commands, and any operator follow-up. It must not expose private keys, authorized-principal data, source-address allow-lists from production, or live SSH logs.
Related recipes
- Source-code authz tenant boundary audit
- CVE-2026-39831 - Go x/crypto ssh FIDO presence bypass
- CVE-2026-39832 - Go x/crypto ssh agent forwarded constraint loss
References
- GitHub Advisory: https://github.com/advisories/GHSA-x527-x647-q7gg
- Go issue: https://go.dev/issue/79570
- Go fix: https://go.dev/cl/781642
- Go vuln entry: https://pkg.go.dev/vuln/GO-2026-5023