Description
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Published: 2026-05-22
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NewKeyring() silently accepts keys with the ConfirmBeforeUse constraint but never enforces it, allowing a key to sign data without any confirmation prompt or warning. As a result, keys trusted to require user confirmation can be used without user interaction, enabling unauthorized signing of data or code. This flaw effectively removes a hardening layer and can lead to clandestine forgery or credential theft if an attacker gains access to the keyring.

Affected Systems

The affected component is the golang.org/x/crypto/ssh/agent package, which provides an in-memory keyring used by SSH agents in Go applications. All releases that include the unpatched NewKeyring() behavior are vulnerable. No specific product version list is available at this time.

Risk and Exploitability

EPSS not available and the vulnerability is not listed in the CISA KEV catalog. The published CVSS score is missing, but the vulnerability permits unauthorized use of cryptographic keys with a high impact on data integrity and confidentiality. Attackers would need to have either written a key with the constraint into the agent or already have access to the agent process. Given the lack of exploit data, the exploitation likelihood is unclear, yet the serious potential for unauthorized signing makes it a high‑severity risk for affected systems.

Generated by OpenCVE AI on May 22, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/crypto/ssh/agent to a version that enforces constraints during NewKeyring() initialization, ensuring that unsupported constraints are rejected.
  • Scan existing keyrings for keys added with a ConfirmBeforeUse constraint and remove or modify them to eliminate the unprotected signing capability.
  • Revoke or replace any keys that were added with ConfirmBeforeUse constraints, and avoid reintroducing such keys until the agent is updated and fully tested.

Generated by OpenCVE AI on May 22, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 05:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Fri, 22 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Title Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T02:31:26.294Z

Reserved: 2026-04-07T18:13:03.529Z

Link: CVE-2026-39833

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-22T04:16:22.773

Modified: 2026-05-22T04:16:22.773

Link: CVE-2026-39833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T05:30:28Z

Weaknesses