GO-2026-5005

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5005

Import Source

https://vuln.go.dev/ID/GO-2026-5005.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2026-5005

Aliases

CVE-2026-39833

Related

CGA-h9w7-6ppp-6fx8

Published

2026-05-22T02:08:34Z

Modified

2026-05-27T04:29:16.931974828Z

Summary

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

Details

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-5005"
}

References

Credits

- NCC Group Cryptography Services, sponsored by Teleport

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.52.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "keyring.Add"
            ],
            "path": "golang.org/x/crypto/ssh/agent"
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5005.json"