CVE 9.1 CRITICAL

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent_CVE-2026-39833

May 22, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

AI Analysis

In-memory keyring silently accepted keys with ConfirmBeforeUse constraint without enforcing it, allowing keys to sign without confirmation prompts.

Basic Information

ID CVE-2026-39833

Source Go

Published May 22, 2026 at 02:31

Modified May 22, 2026 at 18:58

Affected Product

Vendor golang.org/x/crypto

Product golang.org/x/crypto/ssh/agent

Affected Versions golang.org/x/crypto golang.org/x/crypto/ssh/agent 0

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor The Go Authors

Product golang.org/x/crypto/ssh/agent

References

{
    "lastseen": "",
    "description": "The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.",
    "published": "2026-05-22T02:31:26.294Z",
    "modified": "2026-05-22T18:58:08.489Z",
    "type": "cve",
    "title": "Invoking  key constraints not enforced in golang.org/x/crypto/ssh/agent",
    "source": "Go",
    "references": "https://go.dev/issue/79436\nhttps://go.dev/cl/778640\nhttps://go.dev/cl/778641\nhttps://groups.google.com/g/golang-announce/c/a082jnz-LvI\nhttps://pkg.go.dev/vuln/GO-2026-5005",
    "id": "CVE-2026-39833",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "golang.org/x/crypto golang.org/x/crypto/ssh/agent 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "golang.org/x/crypto/ssh/agent",
    "version": "0",
    "vendor": "golang.org/x/crypto",
    "ai_description": "In-memory keyring silently accepted keys with ConfirmBeforeUse constraint without enforcing it, allowing keys to sign without confirmation prompts.",
    "ai_severity": "Critical",
    "ai_vendor": "The Go Authors",
    "ai_product": "golang.org/x/crypto/ssh/agent",
    "ai_version": "0",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply