Skip to main content

AsyncSSH CVE-2026-54590

| EUVDEUVD-2026-42400 MEDIUM
Path Traversal (CWE-22)
2026-07-08 security-advisories@github.com
5.9
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
5.9 MEDIUM

Network vector as SSH is remote; AC:H because %u-templated AuthorizedKeysFile is a prerequisite server configuration; PR:N as exploitation occurs during unauthenticated login; no confidentiality or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 22:21 vuln.today
Patch available
Jul 08, 2026 - 22:04 EUVD

DescriptionCVE.org

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.

AnalysisAI

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send SSH connection with crafted username containing ~ or ${ENV} prefix
Delivery
Bypass incomplete _set_tokens sanitization (/, .., . blocked; ~ and ${ENV} not blocked)
Exploit
Path traversal via expanduser() or _expand_val() during AuthorizedKeysFile resolution
Execution
Server resolves authorized-keys path outside intended directory
Persist
Server reads attacker-influenced key material
Impact
SSH authentication succeeds without legitimate credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires that the AsyncSSH SSH server be configured with an AuthorizedKeysFile directive that includes the %u username substitution token (e.g., AuthorizedKeysFile .ssh/authorized_keys_%u or a similar pattern). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 scores this at 5.9 Medium with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to an AsyncSSH server configured with AuthorizedKeysFile using %u substitution connects and presents an SSH username crafted with a leading tilde, such as ~/.ssh/attacker_controlled, during the authentication handshake. The server's unpatched _set_tokens processes the %u substitution, and Python's Path.expanduser() subsequently resolves ~ to the SSH daemon's home directory, causing the server to consult an authorized-keys file outside the intended path. …
Remediation The primary fix is to upgrade AsyncSSH to version 2.23.1, which resolves the incomplete sanitization in SSHServerConfig._set_tokens by additionally blocking leading ~ and ${ENV} patterns before %u substitution. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-54590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy