CVE-2026-46595 - Go x/crypto ssh VerifiedPublicKeyCallback auth bypass

golang.org/x/crypto/ssh before 0.52.0 can skip source-address validation when server configurations combine VerifiedPublicKeyCallback with other callback types incorrectly. The result is an authorization bypass in custom SSH server policy that assumes prior hardening from CVE-2024-45337 is still in effect.

The vulnerable shape is not every Go SSH server. It is custom callback wiring that depends on the library to enforce source-address or permission checks.

When to use it

Use this recipe when a Go repository embeds a custom SSH server using golang.org/x/crypto/ssh, especially when authentication combines VerifiedPublicKeyCallback, PublicKeyCallback, source-address restrictions, or permission metadata. It is for authorization review around callback wiring, not for generic SSH client dependency bumps.

Use it when an agent needs to prove that SSH server policy is explicit in application code and still holds after upgrading the module.

Inputs

  • Go modules, go.sum, vendored dependencies, binary/image manifests, SBOMs, and generated dependency reports that may resolve golang.org/x/crypto/ssh.
  • ssh.ServerConfig construction sites, callback functions, authorized key loaders, principal mapping, source-address policy, and permission checks.
  • Inventory of custom SSH server paths: bastion, Git/SCM, SFTP, automation, admin shell, device management, CI, or agent-accessible endpoints.
  • Test fixtures for keys, principals, source addresses, and denied combinations, using synthetic data rather than production keys or logs.
  • Deployment/render commands that prove updated binaries and containers no longer carry the vulnerable module.

Affected versions

  • Vulnerable: golang.org/x/crypto/ssh <0.52.0
  • Fixed: 0.52.0+
  • Affected surface: custom SSH server auth callback configuration

Indicator-of-exposure

  • The repository resolves golang.org/x/crypto/ssh <0.52.0.
  • Code sets VerifiedPublicKeyCallback or mixes multiple SSH auth callbacks.
  • Server policy relies on library-enforced source-address or permission checks.

Quick checks:

rg -n "VerifiedPublicKeyCallback|PublicKeyCallback|Permissions|ServerConfig|source-address" .
go list -m all | rg "golang.org/x/crypto"

Windows:

rg -n "VerifiedPublicKeyCallback|PublicKeyCallback|Permissions|ServerConfig|source-address" .
go list -m all | rg "golang.org/x/crypto"

Remediation strategy

  • Upgrade golang.org/x/crypto to 0.52.0+.
  • Audit every SSH server callback combination for implicit authorization assumptions.
  • Enforce explicit source-address and permission validation in application code where policy is security-critical.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-46595 / GHSA-x527-x647-q7gg in Go SSH server code.
Misused callback combinations can skip source-address validation. Produce
exactly one output:

- A reviewer-ready PR/change request that upgrades `golang.org/x/crypto`,
  audits callback wiring, adds regression tests, and documents operator
  follow-up, or
- TRIAGE.md if this repository does not control an affected SSH server path.

## Rules

- Scope only CVE-2026-46595 and directly related SSH server authorization.
- Treat keys, authorized-principal data, source-address rules, and audit logs
  as sensitive.
- Do not expose a live SSH service for exploit testing.
- Do not auto-merge.

## Steps

1. Inventory every Go module, image, and binary controlled here that embeds
   `golang.org/x/crypto/ssh`.
2. Confirm whether any resolved version is `<0.52.0`.
3. Trace `ServerConfig` auth callback wiring and policy checks.
4. If no affected SSH server path is controlled here, stop with `TRIAGE.md`.
5. Upgrade to `0.52.0+` and refresh module metadata, vendoring, and images.
6. Make authorization checks explicit when source-address or permission policy
   matters.
7. Add regression tests proving unauthorized callback combinations cannot bypass
   source-address restrictions.
8. Add a PR body section named `CVE-2026-46595 operator actions` covering
   versions before and after, server paths audited, and validation that passed.
9. Run available validation: `go test`, builds, deployment render, and
   dependency/security scans.
10. Use PR title:
    `fix(sec): remediate Go SSH callback authorization bypass`.

Verification - what the reviewer looks for

  • No controlled binary resolves golang.org/x/crypto/ssh <0.52.0.
  • SSH server authorization does not depend on the old callback behavior.
  • Regression tests cover source-address enforcement.

Watch for

  • Updating go.mod but leaving vendored or containerized older copies.
  • Assuming callback defaults enforce policy that should live in application code.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades golang.org/x/crypto to 0.52.0+, audits every custom SSH server callback combination, makes source-address and permission checks explicit where required, refreshes generated artifacts, and adds safe regression coverage.
  • TRIAGE.md when no controlled custom SSH server path or affected deployable artifact exists.

The output must list resolved versions before/after, server paths audited, callback combinations, authorization assumptions removed or retained, validation commands, and any operator follow-up. It must not expose private keys, authorized-principal data, source-address allow-lists from production, or live SSH logs.

References