GO-2026-5006

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5006

Import Source

https://vuln.go.dev/ID/GO-2026-5006.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-5006

Aliases

CVE-2026-39832

Published

2026-05-22T02:08:34Z

Modified

2026-05-22T02:30:16.073421958Z

Summary

Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

Details

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2026-5006",
    "review_status": "REVIEWED"
}

References

Credits

- NCC Group Cryptography Services, sponsored by Teleport

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.52.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "client.Add",
                "keyring.Add"
            ],
            "path": "golang.org/x/crypto/ssh/agent"
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5006.json"