CVE-2026-46595 IBM QRadar · QRadar

Detect CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass in IBM QRadar

Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.

MITRE ATT&CK

Tactic
Initial Access Persistence Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  category,
  logsourcename(logsourceid) AS log_source,
  "eventcount",
  UTF8(payload) AS raw_payload
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'SolarWinds Orion', 'OpenSSH')
  AND (
    UTF8(payload) ILIKE '%Accepted publickey%'
    OR UTF8(payload) ILIKE '%publickey authentication%'
    OR UTF8(payload) ILIKE '%VerifiedPublicKeyCallback%'
    OR UTF8(payload) ILIKE '%golang.org/x/crypto/ssh%'
  )
  AND category IN (5000, 5001, 5002, 5003)
  AND username IS NOT NULL
  AND username != ''
LAST 24 HOURS
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query to identify SSH authentication events potentially exploiting CVE-2026-46595 by searching for publickey authentication successes on Go SSH server implementations across Linux and SSH log sources.

Data Sources

Linux OSOpenSSHSyslog

Required Tables

events

False Positives & Tuning

  • Routine SSH public key authentication by system administrators and developers
  • Automated backup systems and monitoring agents authenticating via SSH keys
  • Configuration management tools such as Ansible and Puppet using SSH key authentication
  • Service accounts performing legitimate programmatic SSH operations

Other platforms for CVE-2026-46595

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation

    Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.

  2. Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection

    Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.

  3. Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting

    Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.

Last updated: 2026-06-26 Research depth: standard
References (7)

Unlock Pro Content

Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1021.004SSHT1550Use Alternate Authentication Material

Same Tactic: Initial Access

Popular Detections