Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
CVE-2026-39833: golang.org/x/crypto/ssh/agent: Unenforced key signing constraints
GO-2026-5005
CVE-2026-39833
Summary
The golang.org/x/crypto/ssh/agent library in Go did not enforce a security setting for signing keys. This meant that keys could be used to sign without requiring a confirmation prompt. The issue has been fixed to return an error when this setting is requested.
What to do
- Update x golang.org/x/crypto to version 0.52.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Go | x | golang.org/x/crypto |
< 0.52.0 Fix: upgrade to 0.52.0
|
| – | golang | crypto |
< 0.52.0 cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:* |
Original title
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indicat...
Original description
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Vulnerability type
CWE-862
Missing Authorization
Published: 22 May 2026 · Updated: 30 May 2026 · First seen: 22 May 2026