CVE-2026-46705
Deferred Deferred - Pending Action

Authentication State Mismatch in Russh SSH Library

Vulnerability report for CVE-2026-46705, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
russh russh to 0.61.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the russh Rust SSH client and server library versions from 0.34.0-beta.1 up to but not including 0.61.0. The issue is that the server authentication path keeps internal user authentication state across SSH_MSG_USERAUTH_REQUEST messages without properly separating that state when the request principal (user or service) changes.

According to RFC 4252, the user name and service name fields can change between authentication requests, which is valid behavior. However, russh incorrectly retains authentication state such as remaining authentication methods, partial-success state, and in-progress method state across these changes. This causes an internal state mismatch where authentication information from one user or service request can improperly influence another.

This flaw was fixed in version 0.61.0 of russh.

Impact Analysis

This vulnerability can lead to incorrect authentication behavior where authentication state from one user or service request affects another. This could potentially allow an attacker to bypass certain authentication checks or cause confusion in the authentication process.

The CVSS score of 5.3 indicates a medium severity impact, with no confidentiality or availability impact but with integrity impact. This means the vulnerability could allow unauthorized modification or influence of authentication state, potentially leading to unauthorized access or privilege escalation.

Mitigation Strategies

To mitigate this vulnerability, upgrade the russh server library to version 0.61.0 or later, where the issue has been patched.

Compliance Impact

The vulnerability in russh affects the internal authentication state management, potentially allowing one user's authentication state to influence another's authentication process. This impacts authentication integrity but does not directly disclose personal data or cause data breaches.

While the issue could undermine secure authentication practices, there is no explicit information linking this vulnerability to violations of compliance standards such as GDPR or HIPAA in the provided resources.

However, since authentication integrity is a critical component of security controls required by many regulations, failure to properly manage authentication state could indirectly affect compliance by weakening access controls.

Detection Guidance

This vulnerability involves the russh SSH server library improperly maintaining internal authentication state across SSH_MSG_USERAUTH_REQUEST messages when the authentication principal changes. Detection would involve monitoring SSH authentication attempts to identify if authentication state from one user is improperly influencing another user's authentication process.

Since the issue is internal to the russh library's state management and does not manifest as a standard network signature, direct detection via simple network commands is challenging.

However, to investigate or detect this vulnerability on your system, you could:

  • Capture and analyze SSH authentication traffic using tools like tcpdump or Wireshark to observe multiple SSH_MSG_USERAUTH_REQUEST messages within the same connection where the username or service changes.
  • Look for anomalies where authentication methods appear restricted or altered unexpectedly between authentication attempts for different users on the same connection.
  • Use logging on the russh server to enable detailed authentication state tracing if available, to detect if internal state is not reset properly.

Example commands to capture SSH authentication packets:

  • sudo tcpdump -i <interface> -w ssh_auth.pcap port 22
  • Then analyze with Wireshark or tshark filtering on SSH_MSG_USERAUTH_REQUEST messages and check for changes in username or service fields within the same connection.

Note that no specific detection commands or signatures are provided in the available resources, so detection relies on careful traffic analysis and server-side logging.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart