CVE-2026-39833 PUBLISHED

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

Assigner: Go
Reserved: 07.04.2026 Published: 22.05.2026 Updated: 22.05.2026

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Product Status

Vendor	golang.org/x/crypto
Product	golang.org/x/crypto/ssh/agent
Versions	Default: unaffected affected from 0 to 0.52.0 (excl.)

Credits

NCC Group Cryptography Services, sponsored by Teleport

References

https://go.dev/issue/79436
https://go.dev/cl/778640
https://go.dev/cl/778641
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5005

Problem Types

CWE-358: Improperly Implemented Security Check for Standard