QwikSec

Security Database

CVE

CWE

Training

CVE-2026-39833

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Vendor	Product	Versions
golang.org/x/crypto	golang.org/x/crypto/ssh/agent	affected `0 - < 0.52.0`

References

https://go.dev/issue/79436

https://go.dev/cl/778640

https://go.dev/cl/778641

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://pkg.go.dev/vuln/GO-2026-5005

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.