Detect CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass in Splunk
Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("linux_secure", "syslog", "wineventlog", "osquery")
(
("Accepted publickey" OR "publickey" OR "VerifiedPublicKeyCallback" OR "golang" OR "x/crypto/ssh")
AND ("ssh" OR "sshd")
)
| eval auth_method=case(
match(_raw, "Accepted publickey"), "publickey",
match(_raw, "keyboard-interactive"), "keyboard-interactive",
match(_raw, "password"), "password",
true(), "unknown"
)
| eval src_ip=coalesce(src_ip, src, clientip)
| eval username=coalesce(user, username)
| eval dest_host=coalesce(dest_host, host)
| rex field=_raw "from (?P<extracted_src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval src_ip=coalesce(src_ip, extracted_src_ip)
| rex field=_raw "for (?P<extracted_user>\w+) from"
| eval username=coalesce(username, extracted_user)
| where auth_method="publickey"
| stats count AS auth_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(auth_method) AS auth_methods by src_ip, username, dest_host
| eval risk_score=case(auth_count > 20, "critical", auth_count > 5, "high", auth_count > 1, "medium", true(), "low")
| eval duration_hours=round((last_seen - first_seen) / 3600, 2)
| convert ctime(first_seen) ctime(last_seen)
| sort - auth_count
| table src_ip, username, dest_host, auth_count, auth_methods, risk_score, duration_hours, first_seen, last_seenSearches for SSH public key authentication events on potentially vulnerable Go SSH servers. Aggregates authentication attempts by source IP, username, and destination to identify bypass exploitation patterns associated with CVE-2026-46595.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SSH key authentication by authorized system administrators and developers
- Automated scripts and orchestration tools using Go SSH libraries for system management
- Jump servers or bastion hosts handling high volumes of legitimate SSH connections
- CI/CD pipelines deploying code via SSH with public key authentication
Other platforms for CVE-2026-46595
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation
Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.
- Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection
Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.
- Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting
Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.
References (7)
Unlock Pro Content
Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.