A public proof-of-concept has been released for CVE-2026-55200, a critical vulnerability in libssh2 that inverts the typical SSH threat model: instead of an attacker targeting a server, a malicious or compromised SSH server can exploit connecting clients.
What the Vulnerability Does
The flaw allows a rogue SSH server to trigger memory corruption on any client using the affected library during a connection attempt. Researchers note that exploitation requires no credentials and no user interaction beyond the client initiating a connection. Successful exploitation could lead to arbitrary code execution on the client system.
Scope and Severity
- Affected versions: All libssh2 releases up to and including 1.11.1
- CVSS 4.0 score: 9.2 (Critical)
- Attack vector: Network, no authentication required, no user interaction
An Important Distinction
libssh2 is a client-side SSH library, not a server implementation. This means the attack surface sits wherever the library is used to initiate outbound SSH connections, including automation tools, deployment pipelines, backup systems, and embedded software that rely on libssh2 for SSH transport.
Recommended Action
Organizations should audit their software dependencies and build pipelines for use of libssh2 and prioritize patching to a fixed release as soon as one becomes available. The availability of a public PoC significantly raises the risk of active exploitation in the near term. Security teams should also treat any unexpected or third-party SSH endpoints with heightened caution until patched clients are deployed.