CVE-2026-39833

CRITICAL 9.1

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

5th

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Vendor	golang.org/x/crypto
Product	golang.org/x/crypto/ssh/agent
Published	May 22, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for golang.org/x/crypto golang.org/x/crypto/ssh/agent

Be the first to know when new critical vulnerabilities affecting golang.org/x/crypto golang.org/x/crypto/ssh/agent are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

golang.org/x/crypto / golang.org/x/crypto/ssh/agent

0 < 0.52.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

go.dev: https://go.dev/issue/79436 go.dev: https://go.dev/cl/778640 go.dev: https://go.dev/cl/778641 groups.google.com: https://groups.google.com/g/golang-announce/c/a082jnz-LvI pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-5005

Credits

NCC Group Cryptography Services, sponsored by Teleport