CVE-2026-46705: CWE-287: Improper Authentication in Eugeny russh
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0.
AI Analysis
Technical Summary
Russh versions >=0.34.0-beta.1 and <0.61.0 have an authentication state management flaw where internal user authentication state is retained across SSH_MSG_USERAUTH_REQUEST messages without resetting when the user or service changes, violating the expected separation per RFC 4252. This allows residual authentication state (such as remaining methods or partial success) to incorrectly affect subsequent authentication attempts for different principals within the same connection. This is an internal state mismatch issue classified as CWE-287 (Improper Authentication). The vulnerability is patched in russh version 0.61.0.
Potential Impact
The vulnerability can lead to improper authentication behavior where authentication state from one user or service request influences another, potentially allowing an attacker to bypass intended authentication checks or cause incorrect authentication outcomes. There is no direct confidentiality or availability impact reported. The CVSS score is 5.3 (medium severity), indicating a moderate risk of integrity impact without requiring privileges or user interaction.
Mitigation Recommendations
Upgrade russh to version 0.61.0 or later, where this authentication state management issue has been fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is resolved in 0.61.0.
CVE-2026-46705: CWE-287: Improper Authentication in Eugeny russh
Description
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0.
CVSS v3.1
Score 5.3medium
Affected software
pkg:cargo/github/Eugeny/russhRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Russh versions >=0.34.0-beta.1 and <0.61.0 have an authentication state management flaw where internal user authentication state is retained across SSH_MSG_USERAUTH_REQUEST messages without resetting when the user or service changes, violating the expected separation per RFC 4252. This allows residual authentication state (such as remaining methods or partial success) to incorrectly affect subsequent authentication attempts for different principals within the same connection. This is an internal state mismatch issue classified as CWE-287 (Improper Authentication). The vulnerability is patched in russh version 0.61.0.
Potential Impact
The vulnerability can lead to improper authentication behavior where authentication state from one user or service request influences another, potentially allowing an attacker to bypass intended authentication checks or cause incorrect authentication outcomes. There is no direct confidentiality or availability impact reported. The CVSS score is 5.3 (medium severity), indicating a moderate risk of integrity impact without requiring privileges or user interaction.
Mitigation Recommendations
Upgrade russh to version 0.61.0 or later, where this authentication state management issue has been fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is resolved in 0.61.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T23:26:58.309Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29d0250e53e73883986cd2
Added to database: 6/10/2026, 8:59:17 PM
Last enriched: 6/10/2026, 9:15:16 PM
Last updated: 6/11/2026, 12:21:11 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.