CVE-2026-39832 | THREATINT

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

PUBLISHED Reserved 2026-04-07 | Published 2026-05-22 | Updated 2026-05-22 | Assigner Go

Problem types

CWE-281: Improper Preservation of Permissions

Product status

Default status

unaffected

Any version before 0.52.0

affected

Credits

NCC Group Cryptography Services, sponsored by Teleport

References

go.dev/issue/79435

go.dev/cl/778642

groups.google.com/g/golang-announce/c/a082jnz-LvI

pkg.go.dev/vuln/GO-2026-5006

cve.org (CVE-2026-39832)

nvd.nist.gov (CVE-2026-39832)

Download JSON