Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-39832: Go SSH Agent Key Forwarding Security Risk

GO-2026-5006 CVE-2026-39832

Summary

The Go SSH agent key forwarding feature had a security issue that could allow a key to be used on a remote host without restrictions. This has been fixed to ensure that key restrictions are properly enforced when forwarding keys. Affected users should update their Go SSH agent to the latest version to ensure they have the security fix.

What to do

Update x golang.org/x/crypto to version 0.52.0.

Affected software

Ecosystem	Vendor	Product	Affected versions
Go	x	golang.org/x/crypto	< 0.52.0 Fix: upgrade to 0.52.0
–	golang	crypto	< 0.52.0 `cpe:2.3:a:golang:crypto::::::go::*`

Original title

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwa...

Original description

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://pkg.go.dev/vuln/GO-2026-5006
https://go.dev/issue/79435 Third Party Advisory
https://go.dev/cl/778642 Patch
https://groups.google.com/g/golang-announce/c/a082jnz-LvI URL

Published: 22 May 2026 · Updated: 30 May 2026 · First seen: 22 May 2026