CVE-2026-39833

CRITICAL

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

Title source: cna

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

References (5)

Core 5

Core References

https://go.dev/issue/79436

https://go.dev/cl/778640

https://go.dev/cl/778641

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://pkg.go.dev/vuln/GO-2026-5005

Scores

CVSS v3 9.1

EPSS 0.0030

EPSS Percentile 21.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (2)

golang/crypto < 0.52.0

golang.org/x/crypto/golang.org/x/crypto/ssh/agent < 0.52.0

Published May 22, 2026

Tracked Since May 22, 2026