CVE-2026-39832

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Vendor	Product	Versions
golang.org/x/crypto	golang.org/x/crypto/ssh/agent	affected `0 - < 0.52.0`

References

https://go.dev/issue/79435

https://go.dev/cl/778642

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://pkg.go.dev/vuln/GO-2026-5006

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-39832

Description

Affected Products

References