Intel

AIKIDO-2026-11022

golang.org/x/crypto is vulnerable to Authorization Bypass

Authorization BypassCVE-2026-46595 Published Jun 2, 2026

100

Critical Risk

This Affects:

GOgolang.org/x/crypto
0.0.0 - 0.51.0
Fixed in 0.52.0
Are you affected? Scan for Free

TL;DR

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/crypto/ssh functionalities.

Background info

golang.org/x/crypto is vulnerable to Authorization Bypass in versions 0.0.0 - 0.51.0.

How to fix this

Upgrade the golang.org/x/crypto library to the patch version.

Links

pkg.go.dev/vuln/GO-2026-5023
https://pkg.go.dev/vuln/GO-2026-5023
go.dev/cl/781642
https://go.dev/cl/781642
go.dev/issue/79570
https://go.dev/issue/79570
groups.google.com/g/golang-announce/c/a082jnz-LvI
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
access.redhat.com/errata/RHSA-2026:23262
https://access.redhat.com/errata/RHSA-2026:23262
access.redhat.com/errata/RHSA-2026:23264
https://access.redhat.com/errata/RHSA-2026:23264
access.redhat.com/errata/RHSA-2026:26546
https://access.redhat.com/errata/RHSA-2026:26546
access.redhat.com/errata/RHSA-2026:26547
https://access.redhat.com/errata/RHSA-2026:26547
access.redhat.com/errata/RHSA-2026:30650
https://access.redhat.com/errata/RHSA-2026:30650
access.redhat.com/errata/RHSA-2026:30651
https://access.redhat.com/errata/RHSA-2026:30651
access.redhat.com/errata/RHSA-2026:33524
https://access.redhat.com/errata/RHSA-2026:33524
access.redhat.com/errata/RHSA-2026:33531
https://access.redhat.com/errata/RHSA-2026:33531
access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36207
access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:36648
access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36651
access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36796
access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:36797
access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:36808
access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36820
access.redhat.com/errata/RHSA-2026:37275
https://access.redhat.com/errata/RHSA-2026:37275
access.redhat.com/errata/RHSA-2026:37387
https://access.redhat.com/errata/RHSA-2026:37387
access.redhat.com/errata/RHSA-2026:40118
https://access.redhat.com/errata/RHSA-2026:40118
access.redhat.com/errata/RHSA-2026:40945
https://access.redhat.com/errata/RHSA-2026:40945
access.redhat.com/errata/RHSA-2026:41019
https://access.redhat.com/errata/RHSA-2026:41019
access.redhat.com/errata/RHSA-2026:41036
https://access.redhat.com/errata/RHSA-2026:41036
access.redhat.com/security/cve/CVE-2026-46595
https://access.redhat.com/security/cve/CVE-2026-46595
bugzilla.redhat.com/show_bug.cgi?id=2480689
https://bugzilla.redhat.com/show_bug.cgi?id=2480689
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46595.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46595.json