CVE-2026-45309: AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username

May 27, 2026

AsyncSSH 2.22.0 expands the OpenSSH-compatible AuthorizedKeysFile %u token with the raw SSH username during pre-authentication server config reload. A server configured with a documented per-user key pattern such as AuthorizedKeysFile authorized_keys/%u can be made to read an authorized-keys file outside the intended directory when the SSH username contains path traversal segments. If the attacker can place or reference a readable authorized-keys-format file containing their public key, the attacker can authenticate over SSH as the traversal username.

References

github.com/advisories/GHSA-g794-3fmp-753h
github.com/ronf/asyncssh/security/advisories/GHSA-g794-3fmp-753h
nvd.nist.gov/vuln/detail/CVE-2026-45309

Code Behaviors & Features

Detect and mitigate CVE-2026-45309 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →