The vulnerability arises when an SSH server authentication callback returns a PartialSuccessError with a non‑nil Permissions value. In prior releases, these permissions were silently discarded, effectively removing certificate restrictions such as the force‑command requirement after a second factor was accepted. The recent change now triggers a connection error for this case, preventing the silent bypass. It is inferred that, before the fix, an attacker could have leveraged this flaw to bypass certificate restrictions and potentially execute commands that a certificate normally prohibits. The issue represents an improper access control weakness.

The Go SSH package (golang.org/x/crypto/ssh) is affected. Any application that embeds this package and defines custom authentication callbacks potentially returning PartialSuccessError with Permissions values is vulnerable. No specific version range is provided in the source data.

The flaw requires control over the SSH server’s authentication callback logic, which is normally limited to trusted application code. It is inferred that an external attacker would need to modify or supply that server-side logic to exploit the vulnerability. No CVSS or EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been reported. Because of the local or privileged nature of the required compromise, the overall exploitation likelihood is considered low to moderate at current reporting time.