A vulnerability was found in wolfSSHs server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.