russh

CVE-2026-46705

CVE-2026-46705 is a medium-severity improper authentication vulnerability in russh (rust), affecting versions >= 0.34.0-beta.1, < 0.61.0. It is fixed in 0.61.0.

Key facts
CVSS score
5.3
Medium
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
russh
Fixed in
0.61.0
Disclosed
2026

Summary

Summary The russh server authentication path keeps internal userauth state across SSHMSGUSERAUTHREQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. Applications are responsible for any authentication state they keep in their own handlers, but russh must reset or separate state that russh itself owns. Details The relevant server-side auth logic is in: russh/src/server/encrypted.rs russh/src/auth.rs RFC 4252 section 5 says the user name and service name fields are repeated in every SSHMSGUSERAUTHREQUEST and may change. It also says the server implementation must check those fields in every message and flush accumulated authentication state if they change; if it cannot flush that state, it must disconnect. In vulnerable russh code, the username and service are decoded from each SSHMSGUSERAUTHREQUEST, while the AuthRequest state remains connection-scoped. That state includes: methods, which is later encoded as the SSHMSGUSERAUTHFAILURE remaining-methods list. partialsuccess, which is later encoded in SSHMSGUSERAUTHFAILURE. current, which tracks in-progress method state such as public-key offer or keyboard-interactive challenge state. rejectioncount. If one request narrows russh's internal methods set, a later request for a different user can observe that narrowed set unless the internal state is reset at the principal boundary. PoC The PoC demonstrates only russh-owned state. The handler does not store any cross-request state. Alice's request narrows russh's remaining methods to password; Bob's later plain reject should not reuse that internal state. On upstream/main, this fails with: That failure is produced by russh's retained AuthRequest.methods; it does not depend on handler-owned MFA/session state. Impact Suggested provisional CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Score: 5.3 Reasoning: AV:N: reachable by a remote SSH client during authentication. AC:L: the attack is a normal sequence of SSH user-auth packets. PR:N: the attacker does not need an already-authenticated SSH session. UI:N: no user interaction is required on the server side. S:U: the impact is within the vulnerable SSH server implementation. C:N: the narrow PoC does not disclose confidential data. I:L: russh-owned authentication state for one principal can affect the authentication flow for a different principal. A:N: the narrow PoC does not demonstrate an availability impact. This report does not claim that username changes are inherently invalid, nor does it rely on application-owned authentication state being mishandled by the embedding server. Fix / Patch Direction The fix should update russh's internal userauth state handling so that accumulated russh-owned state is flushed or separated when (user, service) changes between SSHMSGUSERAUTHREQUEST messages. The fix stores the last seen (user, service) on AuthRequest. When a new auth request arrives for a different principal, russh resets its internal auth state before dispatching the new request. This keeps username changes protocol-valid while preventing prior russh-owned auth state from carrying into the new principal.

Impact

What is improper authentication?

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

Severity and exposure

CVE-2026-46705 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (0.61.0). Upgrading removes the vulnerable code path.

Affected versions

rust

  • russh (>= 0.34.0-beta.1, < 0.61.0)

Security releases

  • russh → 0.61.0 (rust)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2026-46705 is reachable in your applications. Explore open-source security for your team.

See if CVE-2026-46705 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-46705 in your environment

Remediation advice

Upgrade russh to 0.61.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-46705

What is CVE-2026-46705?

CVE-2026-46705 is a medium-severity improper authentication vulnerability in russh (rust), affecting versions >= 0.34.0-beta.1, < 0.61.0. It is fixed in 0.61.0. The application does not adequately verify the identity of a user, device, or process before granting access.

How severe is CVE-2026-46705?

CVE-2026-46705 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which versions of russh are affected by CVE-2026-46705?

russh (rust) versions >= 0.34.0-beta.1, < 0.61.0 is affected.

Is there a fix for CVE-2026-46705?

Yes. CVE-2026-46705 is fixed in 0.61.0. Upgrade to this version or later.

Is CVE-2026-46705 exploitable, and should I be worried?

Whether CVE-2026-46705 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-46705 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-46705?

Upgrade russh to 0.61.0 or later.

Stop the waste.
Protect your environment with Kodem.