CVE-2026-39828
SSH Server Authentication PartialSuccessError Permissions Bypass
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | crypto | to v0.52.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the golang.org/x/crypto/ssh package when an SSH server authentication callback returns a PartialSuccessError along with non-nil Permissions. In such cases, the permissionsβwhich may include important certificate restrictions like force-commandβwere silently discarded. This means that after a second factor authentication succeeded, the intended restrictions could be bypassed without any error being raised.
The issue has been fixed by changing the behavior so that returning non-nil Permissions with PartialSuccessError now causes a connection error, ensuring that certificate restrictions are properly enforced.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing certificate restrictions, such as force-command, to be bypassed after a second factor authentication succeeds. This means that an attacker or unauthorized user might gain more access or execute commands that should have been restricted by the certificate permissions.
Because the permissions were silently discarded without causing a connection error, the security controls intended to limit user actions could be ineffective, potentially leading to unauthorized command execution or privilege escalation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the golang.org/x/crypto package to version v0.52.0 or later, where the issue has been fixed.
The fix ensures that returning non-nil Permissions with PartialSuccessError results in a connection error, properly enforcing certificate restrictions such as force-command after a second factor succeeds.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could potentially impact compliance with security standards and regulations such as GDPR and HIPAA because it involves the silent discarding of certificate restrictions (e.g., force-command) after a second factor succeeded during SSH authentication. This could lead to unauthorized access or actions that bypass intended security controls, thereby weakening the enforcement of access restrictions.
By allowing permissions to be discarded silently, the vulnerability undermines the integrity of multi-factor authentication enforcement and certificate-based restrictions, which are often required by compliance frameworks to protect sensitive data and systems.
The fix, which causes a connection error when non-nil Permissions are returned with PartialSuccessError, ensures that certificate restrictions are properly enforced, thereby helping maintain compliance with such standards.