CVE-2026-39828

Severity CVSS v4.0:
Pending analysis
Type:
CWE-295 Improper Certificate Validation
Publication date:
22/05/2026
Last modified:
02/07/2026

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:* 0.52.0 (excluding)