CVE-2026-39828
Analyzed Analyzed - Analysis Complete
SSH Server Authentication PartialSuccessError Permissions Bypass

Publication date: 2026-05-22

Last updated on: 2026-06-02

Assigner: Go Project

Description
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-06-02
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-39828
EUVD
EUVD-2026-31394
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang crypto to 0.52.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the golang.org/x/crypto/ssh package when an SSH server authentication callback returns a PartialSuccessError along with non-nil Permissions. In such cases, the permissionsβ€”which may include important certificate restrictions like force-commandβ€”were silently discarded. This means that after a second factor authentication succeeded, the intended restrictions could be bypassed without any error being raised.

The issue has been fixed by changing the behavior so that returning non-nil Permissions with PartialSuccessError now causes a connection error, ensuring that certificate restrictions are properly enforced.

Impact Analysis

This vulnerability can impact you by allowing certificate restrictions, such as force-command, to be bypassed after a second factor authentication succeeds. This means that an attacker or unauthorized user might gain more access or execute commands that should have been restricted by the certificate permissions.

Because the permissions were silently discarded without causing a connection error, the security controls intended to limit user actions could be ineffective, potentially leading to unauthorized command execution or privilege escalation.

Mitigation Strategies

To mitigate this vulnerability, you should update the golang.org/x/crypto package to version v0.52.0 or later, where the issue has been fixed.

The fix ensures that returning non-nil Permissions with PartialSuccessError results in a connection error, properly enforcing certificate restrictions such as force-command after a second factor succeeds.

Compliance Impact

This vulnerability could potentially impact compliance with security standards and regulations such as GDPR and HIPAA because it involves the silent discarding of certificate restrictions (e.g., force-command) after a second factor succeeded during SSH authentication. This could lead to unauthorized access or actions that bypass intended security controls, thereby weakening the enforcement of access restrictions.

By allowing permissions to be discarded silently, the vulnerability undermines the integrity of multi-factor authentication enforcement and certificate-based restrictions, which are often required by compliance frameworks to protect sensitive data and systems.

The fix, which causes a connection error when non-nil Permissions are returned with PartialSuccessError, ensures that certificate restrictions are properly enforced, thereby helping maintain compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart