Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

AI Analysis

Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host

Basic Information

ID CVE-2026-39832

Source Go

Published May 22, 2026 at 02:31

Modified May 22, 2026 at 19:03

Affected Product

Vendor golang.org/x/crypto

Product golang.org/x/crypto/ssh/agent

Affected Versions golang.org/x/crypto golang.org/x/crypto/ssh/agent 0

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor The Go Authors

Product golang.org/x/crypto/ssh/agent

References

{
    "lastseen": "",
    "description": "When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.",
    "published": "2026-05-22T02:31:26.660Z",
    "modified": "2026-05-22T19:03:06.882Z",
    "type": "cve",
    "title": "Invoking  agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent",
    "source": "Go",
    "references": "https://go.dev/issue/79435\nhttps://go.dev/cl/778642\nhttps://groups.google.com/g/golang-announce/c/a082jnz-LvI\nhttps://pkg.go.dev/vuln/GO-2026-5006",
    "id": "CVE-2026-39832",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "golang.org/x/crypto golang.org/x/crypto/ssh/agent 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "golang.org/x/crypto/ssh/agent",
    "version": "0",
    "vendor": "golang.org/x/crypto",
    "ai_description": "Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host",
    "ai_severity": "Critical",
    "ai_vendor": "The Go Authors",
    "ai_product": "golang.org/x/crypto/ssh/agent",
    "ai_version": "0",
    "ai_score": 9.1
}

Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent_CVE-2026-39832