CVE-2026-39832
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
9.1
CRITICAL
CVSS 3.1
EPSS 0.07%
Description
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
How to fix CVE-2026-39832
To remediate CVE-2026-39832, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.52.0 or later
Is CVE-2026-39832 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 0.52.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |