CVE-2026-39831

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Vendor	Product	Versions
golang.org/x/crypto	golang.org/x/crypto/ssh	affected `0 - < 0.52.0`

References

https://go.dev/issue/79566

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://go.dev/cl/781662

https://pkg.go.dev/vuln/GO-2026-5019

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-39831

Description

Affected Products

References