CVE-2026-39833
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
9.1
CRITICAL
CVSS 3.1
EPSS 0.04%
Description
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
How to fix CVE-2026-39833
To remediate CVE-2026-39833, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.52.0 or later
Is CVE-2026-39833 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 0.52.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |