CVE-2026-46595 Sumo Logic CSE · Sumo

Detect CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass in Sumo Logic CSE

Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.

MITRE ATT&CK

Tactic
Initial Access Persistence Lateral Movement

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/auth OR _sourceCategory=syslog OR _sourceCategory=ssh
| where _raw matches /Accepted publickey|publickey authentication|VerifiedPublicKeyCallback|golang.*ssh/
| parse regex "for (?P<username>\w+) from (?P<src_ip>[\d\.]+)" nodrop
| parse regex "Accepted (?P<auth_method>\w+) for" nodrop
| where auth_method = "publickey" or isNull(auth_method)
| timeslice 15m
| count by _timeslice, src_ip, username, _sourceHost
| where _count >= 1
| sort by _count desc
| fields _timeslice, src_ip, username, _sourceHost, _count
critical severity medium confidence

Sumo Logic query detecting SSH public key authentication events on systems potentially running vulnerable golang.org/x/crypto/ssh implementations. Aggregates events by time window to identify exploitation patterns for CVE-2026-46595.

Data Sources

linux/authsyslogssh

Required Tables

linux/authsyslog

False Positives & Tuning

  • High-volume legitimate SSH key authentication in enterprise environments
  • Automated cloud infrastructure provisioning using SSH key-based authentication
  • Developer SSH sessions using key-based authentication for daily work
  • Load balancers and health check systems performing SSH connectivity tests

Other platforms for CVE-2026-46595

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation

    Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.

  2. Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection

    Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.

  3. Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting

    Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.

Last updated: 2026-06-26 Research depth: standard
References (7)

Unlock Pro Content

Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1021.004SSHT1550Use Alternate Authentication Material

Same Tactic: Initial Access

Popular Detections