CVE-2026-39828

🔶 medium

Summary

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

CVSS Score

6.3

Medium

EPSS Score

0.0

Exploit Probability

Published Date

2026-05-22

First Seen: 2026-05-23

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 39.3% of all 328,009 vulnerabilities in our database.

#199,264

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 22, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

NCC Group Cryptography Services, sponsored by Teleport

SSVC data provided by CISA

Last Modified 2026-06-02

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE IDs (Weakness Types)

CWE-295

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
golang	crypto	Affected	< 0.52.0

🔗 References 4

https://go.dev/cl/781621

Issue Tracking

https://go.dev/issue/79562

Issue Tracking

https://groups.google.com/g/golang-announce/c/a082jn...

Mailing List

https://pkg.go.dev/vuln/GO-2026-5014

Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-39827	🔶 medium	6.5	0.0	An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory gr...	2026-05-22
CVE-2026-39829	⚠️ high	7.5	0.0	The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessive...	2026-05-22
CVE-2026-39830	⛔ critical	9.1	0.1	A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection...	2026-05-22
CVE-2026-39831	⛔ critical	9.1	0.0	The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did...	2026-05-22
CVE-2026-39832	⛔ critical	9.1	0.1	When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serializ...	2026-05-22
CVE-2026-39833	⛔ critical	9.1	0.0	The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enf...	2026-05-22

These CVEs affect the same products