๐Ÿ” CVE Alert

CVE-2026-54590

MEDIUM 5.9

AsyncSSH AuthorizedKeysFile username substitution bypass through ~ and environment expansion

CVSS Score
5.9
EPSS Score
0.3%
EPSS Percentile
20th

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.

CWE CWE-22 CWE-639
Vendor ronf
Product asyncssh
Published Jul 8, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for ronf asyncssh

Be the first to know when new medium vulnerabilities affecting ronf asyncssh are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Affected Versions

ronf / asyncssh
< 2.23.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh github.com: https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88 github.com: https://github.com/ronf/asyncssh/releases/tag/v2.23.1