Bug 2498264 (CVE-2026-54590) - CVE-2026-54590 AsyncSSH: AsyncSSH: Unauthorized file modification via authorized-keys directory escape
Summary: CVE-2026-54590 AsyncSSH: AsyncSSH: Unauthorized file modification via authori...
Keywords:
Status: NEW
Alias: CVE-2026-54590
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2498419 2498421 2498422 2498423
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-08 21:02 UTC by OSIDB Bzimport
Modified: 2026-07-09 07:11 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-08 21:02:53 UTC
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.


Note You need to log in before you can comment on or make changes to this bug.