9.1
CVE-2026-39833
- EPSS 0.36%
- Veröffentlicht 22.05.2026 02:31:26
- Zuletzt bearbeitet 28.05.2026 15:04:39
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.278 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://go.dev/issue/79436
https://go.dev/cl/778640
https://go.dev/cl/778641
https://pkg.go.dev/vuln/GO-2026-5005