CVE-2026-39832 PUBLISHED

Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

Assigner: Go
Reserved: 07.04.2026 Published: 22.05.2026 Updated: 22.05.2026

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Product Status

Vendor	golang.org/x/crypto
Product	golang.org/x/crypto/ssh/agent
Versions	Default: unaffected affected from 0 to 0.52.0 (excl.)

Credits

NCC Group Cryptography Services, sponsored by Teleport

References

https://go.dev/issue/79435
https://go.dev/cl/778642
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5006

Problem Types

CWE-281: Improper Preservation of Permissions