CVE-2026-46595 Elastic Security · Elastic

Detect CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass in Elastic Security

Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.

MITRE ATT&CK

Tactic
Initial Access Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [authentication where
    event.action in ("ssh_login", "user_login", "authenticated") and
    event.outcome == "success" and
    (
      process.name in ("sshd", "ssh") or
      user_agent.original like~ "*golang*" or
      user_agent.original like~ "*crypto/ssh*"
    ) and
    authentication.type == "publickey"
  ] by source.ip, user.name
  [network where
    network.protocol == "ssh" and
    event.action == "connection_attempted" and
    source.ip != "127.0.0.1"
  ] by source.ip, user.name
critical severity medium confidence

EQL sequence detection for CVE-2026-46595 that correlates successful SSH public key authentication with subsequent network connections, identifying potential authentication bypass exploitation on Go-based SSH servers.

Data Sources

auditdsystemnetwork

Required Tables

logs-system.auth*logs-network*auditbeat-*

False Positives & Tuning

  • Authorized users performing SSH key-based logins followed by legitimate network activity
  • Automated deployment and configuration management tools using SSH public key auth
  • Security scanning tools performing authenticated SSH checks against managed hosts
  • DevOps workflows involving SSH tunneling and port forwarding for development

Other platforms for CVE-2026-46595

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation

    Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.

  2. Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection

    Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.

  3. Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting

    Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.

Last updated: 2026-06-26 Research depth: standard
References (7)

Unlock Pro Content

Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1021.004SSHT1550Use Alternate Authentication Material

Same Tactic: Initial Access

Popular Detections