CVE-2026-54590

NameCVE-2026-54590
DescriptionAsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1141817

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-asyncssh (PTS)bullseye2.5.0-0.1vulnerable
bullseye (security)2.5.0-0.1+deb11u1vulnerable
bookworm2.10.1-2+deb12u2vulnerable
bookworm (security)2.10.1-2+deb12u1vulnerable
trixie2.20.0-1fixed
forky, sid2.23.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-asyncsshsourcetrixie(not affected)
python-asyncsshsource(unstable)(unfixed)1141817

Notes

[trixie] - python-asyncssh <not-affected> (Incomplete fix for CVE-2026-45309 not applied)
https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
Fixed by: https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88 (v2.23.1)

Search for package or bug name: Reporting problems