CVE-2026-45309

Name of the Vulnerable Software and Affected Versions asyncssh versions 2.22.0 through 2.23.0

Description An issue exists during pre-authentication server configuration reload where the %u token in the AuthorizedKeysFile setting is expanded using the raw SSH username without rejecting path separators or .. segments. This allows a remote attacker to use path traversal in the username to force the server to read an authorized-keys file from a location outside the intended directory. If the attacker can reference or place a readable file in the authorized-keys format containing their public key, they can successfully authenticate over SSH as the traversal username.

Recommendations Update to version 2.23.1 or later. As a temporary workaround, ensure the application rejects usernames containing /, ``, or .. before they are processed for key-file selection.