Description
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Published: 2026-05-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when an SSH server authentication callback returns a PartialSuccessError with a non‑nil Permissions value. In prior releases, these permissions were silently discarded, effectively removing certificate restrictions such as the force‑command requirement after a second factor was accepted. The recent change now triggers a connection error for this case, preventing the silent bypass. It is inferred that, before the fix, an attacker could have leveraged this flaw to bypass certificate restrictions and potentially execute commands that a certificate normally prohibits. The issue represents an improper access control weakness.

Affected Systems

The Go SSH package (golang.org/x/crypto/ssh) is affected. Any application that embeds this package and defines custom authentication callbacks potentially returning PartialSuccessError with Permissions values is vulnerable. No specific version range is provided in the source data.

Risk and Exploitability

The flaw requires control over the SSH server’s authentication callback logic, which is normally limited to trusted application code. It is inferred that an external attacker would need to modify or supply that server‑side logic to exploit the vulnerability. The CVSS score is 6.3 and the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been reported. Because of the local or privileged nature of the required compromise, the overall exploitation likelihood is considered low to moderate at current reporting time.

Generated by OpenCVE AI on June 2, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated release of golang.org/x/crypto/ssh that enforces an error when a PartialSuccessError contains non‑nil Permissions, thereby correcting the improper access control weakness.
  • Refactor custom SSH authentication callbacks so they never return non‑nil Permissions with a PartialSuccessError; instead return a standard error to maintain certificate restrictions, addressing the improper access control weakness.
  • If an immediate update is not feasible, temporarily disable or reconfigure certificate-based restrictions that rely solely on server‑side Permissions handling to avoid the flaw.

Generated by OpenCVE AI on June 2, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang crypto
Weaknesses CWE-295
CPEs cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*
Vendors & Products Golang crypto

Fri, 22 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 22 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang ssh
Vendors & Products Golang
Golang ssh

Fri, 22 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 22 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Title Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
References

Subscriptions

Golang Crypto Ssh
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T17:44:19.986Z

Reserved: 2026-04-07T18:13:03.528Z

Link: CVE-2026-39828

cve-icon Vulnrichment

Updated: 2026-05-22T17:44:14.299Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-22T04:16:22.190

Modified: 2026-06-02T16:33:58.737

Link: CVE-2026-39828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T17:30:13Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-295

    Improper Certificate Validation