Any public key that hashes to that Bitcoin address can spend the money.
But this is wrong. The public key is provided in the scriptSig, and that's what signatures are checked against. It's also how the hash is checked in the first place.
You can find a public key that collides with the hash, and pass the first part of a p2pkh script. If the hash passes, all that's left is OP_CHECKSIG, which still wouldn't pass with the dodgy key.
deepceleron is correct.
The public key is indeed provided in the scriptSig, but this is not what signatures are checked against.
The scriptSig (containing the signature and the public key in P2PKH) is provided by the spender. It is the scriptPubKey in the output of the transaction that is being spent from that does the checking.
In the case of P2PKH, the scriptPubKey makes no mention of the public key - just the address.