CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass
Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- go
- Product
- golang.org/x/crypto/ssh
- Versions
- < 0.52.0
Weakness (CWE)
Timeline
- Disclosed
- June 25, 2026
References & Proof of Concept
What is CVE-2026-46595 CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass?
CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass (CVE-2026-46595) maps to the Initial Access and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass, covering the data sources and telemetry it touches: CommonSecurityLog, Syslog, DeviceProcessEvents, SecurityEvent. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
// Detect SSH authentication events where public key auth succeeds anomalously
CommonSecurityLog
| where DeviceEventClassID has_any ("sshd", "openssh", "ssh")
| where Message has_any ("Accepted publickey", "publickey authentication", "keyboard-interactive")
| where DeviceProduct has_any ("go", "golang", "ssh")
| extend AuthMethod = extract("auth method: ([\\w-]+)", 1, Message)
| extend Username = extract("for ([\\w]+) from", 1, Message)
| extend SourceIP = SourceIP
| project TimeGenerated, SourceIP, DestinationIP, Username, AuthMethod, Message, Computer
),
(
// Detect Go SSH server processes with unexpected successful auth
Syslog
| where Facility == "auth" or SyslogMessage has "sshd"
| where SyslogMessage has_any ("Accepted", "publickey", "VerifiedPublicKey")
| extend Username = extract("for ([\\w]+) from", 1, SyslogMessage)
| extend SourceIP = extract("from ([\\d\.]+)", 1, SyslogMessage)
| project TimeGenerated, HostName, SourceIP, Username, SyslogMessage
),
(
// Detect anomalous SSH lateral movement via process telemetry
DeviceProcessEvents
| where FileName in~ ("ssh", "sshd") or ProcessCommandLine has "ssh"
| where InitiatingProcessFileName has_any ("go", "golang") or FolderPath has "golang"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, RemoteIP
)
| where isnotempty(SourceIP) or isnotempty(RemoteIP)
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by SourceIP, Username, Computer, HostName
| where Count >= 1
| extend RiskScore = case(Count > 10, "High", Count > 3, "Medium", "Low")
| sort by LastSeen descDetects successful SSH public key authentication events on systems running Go-based SSH servers potentially vulnerable to CVE-2026-46595. Looks for anomalous authentication patterns across CommonSecurityLog, Syslog, and process telemetry that may indicate VerifiedPublicKeyCallback bypass exploitation.
Data Sources
Required Tables
False Positives
- Legitimate SSH public key authentication by authorized users on Go-based SSH servers
- Automated deployment pipelines or CI/CD systems using Go SSH libraries for key-based authentication
- Monitoring agents or security tools built with golang.org/x/crypto/ssh performing health checks
- SSH multiplexing or persistent connections from developer workstations
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass (CVE-2026-46595) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-46595
References (7)
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation
Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.
- Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection
Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.
- Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting
Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.
Unlock Pro Content
Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.