{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39828", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-04-07T18:13:03.528Z", "datePublished": "2026-05-22T02:31:26.883Z", "dateUpdated": "2026-06-30T12:05:51.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-05-22T02:31:26.883Z"}, "title": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh", "descriptions": [{"lang": "en", "value": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error."}], "affected": [{"vendor": "golang.org/x/crypto", "product": "golang.org/x/crypto/ssh", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/crypto/ssh", "versions": [{"version": "0", "lessThan": "0.52.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "connection.serverAuthenticate"}, {"name": "NewServerConn"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863: Incorrect Authorization"}]}], "references": [{"url": "https://go.dev/issue/79562"}, {"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"}, {"url": "https://go.dev/cl/781621"}, {"url": "https://pkg.go.dev/vuln/GO-2026-5014"}], "credits": [{"lang": "en", "value": "NCC Group Cryptography Services, sponsored by Teleport"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-22T17:43:55.428395Z", "id": "CVE-2026-39828", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-22T17:44:19.986Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:assisted_installer:2"], "defaultStatus": "affected", "product": "Assisted Installer for Red Hat OpenShift Container Platform 2", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_builds:1"], "defaultStatus": "affected", "product": "Builds for Red Hat OpenShift", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:cert_manager:1"], "defaultStatus": "affected", "product": "cert-manager Operator for Red Hat OpenShift", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:confidential_compute_attestation:1"], "defaultStatus": "affected", "product": "Confidential Compute Attestation", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:cryostat:4"], "defaultStatus": "affected", "product": "Cryostat 4", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:external_secrets_operator:1"], "defaultStatus": "affected", "product": "External Secrets Operator for Red Hat OpenShift", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:multicluster_engine"], "defaultStatus": "affected", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_api_data_protection:1"], "defaultStatus": "affected", "product": "OpenShift API for Data Protection", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_pipelines:1"], "defaultStatus": "affected", "product": "OpenShift Pipelines", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:serverless:1"], "defaultStatus": "affected", "product": "OpenShift Serverless", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:acm:2"], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Security 4", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:ceph_storage:9"], "defaultStatus": "affected", "product": "Red Hat Ceph Storage 9", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:edge_manager:1"], "defaultStatus": "affected", "product": "Red Hat Edge Manager 1", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_ai"], "defaultStatus": "affected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_devspaces:3"], "defaultStatus": "affected", "product": "Red Hat OpenShift Dev Spaces", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:devworkspace"], "defaultStatus": "affected", "product": "Red Hat OpenShift Dev Workspaces Operator", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:windows_machine_config"], "defaultStatus": "affected", "product": "Red Hat OpenShift for Windows Containers", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_gitops:1"], "defaultStatus": "affected", "product": "Red Hat OpenShift GitOps", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_service_on_aws:1"], "defaultStatus": "affected", "product": "Red Hat OpenShift on AWS", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:container_native_virtualization:4"], "defaultStatus": "affected", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openstack:16.2"], "defaultStatus": "affected", "product": "Red Hat OpenStack Platform 16.2", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openstack:18.0"], "defaultStatus": "affected", "product": "Red Hat OpenStack Platform 18.0", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:quay:3"], "defaultStatus": "affected", "product": "Red Hat Quay 3", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:trusted_artifact_signer:1"], "defaultStatus": "affected", "product": "Red Hat Trusted Artifact Signer", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_security_profiles_operator:1"], "defaultStatus": "affected", "product": "Security Profiles Operator", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:zero_trust_workload_identity_manager:1"], "defaultStatus": "affected", "product": "Zero Trust Workload Identity Manager", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:zero_trust_workload_identity_manager:0"], "defaultStatus": "affected", "product": "Zero Trust Workload Identity Manager - Tech Preview", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_data_foundation:4"], "defaultStatus": "unaffected", "product": "Red Hat Openshift Data Foundation 4", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openstack:17.1"], "defaultStatus": "unaffected", "product": "Red Hat OpenStack Platform 17.1", "vendor": "Red Hat"}], "datePublic": "2026-05-22T02:31:26.883Z", "descriptions": [{"lang": "en", "value": "A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-281", "description": "Improper Preservation of Permissions", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-39828"}, {"name": "RHBZ#2480687", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480687"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39828.json"}], "timeline": [{"lang": "en", "time": "2026-05-22T04:01:46.775Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-22T02:31:26.883Z", "value": "Made public."}], "title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:05:51.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-22T17:43:55.428395Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-22T17:44:14.299Z"}}], "cna": {"title": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh", "credits": [{"lang": "en", "value": "NCC Group Cryptography Services, sponsored by Teleport"}], "affected": [{"vendor": "golang.org/x/crypto", "product": "golang.org/x/crypto/ssh", "versions": [{"status": "affected", "version": "0", "lessThan": "0.52.0", "versionType": "semver"}], "packageName": "golang.org/x/crypto/ssh", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "connection.serverAuthenticate"}, {"name": "NewServerConn"}]}], "references": [{"url": "https://go.dev/issue/79562"}, {"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"}, {"url": "https://go.dev/cl/781621"}, {"url": "https://pkg.go.dev/vuln/GO-2026-5014"}], "descriptions": [{"lang": "en", "value": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-05-22T02:31:26.883Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39828", "state": "PUBLISHED", "dateUpdated": "2026-05-22T17:44:19.986Z", "dateReserved": "2026-04-07T18:13:03.528Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-05-22T02:31:26.883Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "packageName": "golang.org/x/crypto/ssh", "product": "golang.org/x/crypto/ssh", "programRoutines": [{"name": "connection.serverAuthenticate"}, {"name": "NewServerConn"}], "vendor": "golang.org/x/crypto", "versions": [{"lessThan": "0.52.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "source": "security@golang.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*", "matchCriteriaId": "D540395B-31B8-4B07-8F79-F5C631BBD5C8", "versionEndExcluding": "0.52.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error."}], "id": "CVE-2026-39828", "lastModified": "2026-06-17T10:42:39.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-39828", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-22T17:43:55.428395Z", "version": "2.0.3"}}]}, "published": "2026-05-22T04:16:22.190", "references": [{"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/cl/781621"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/79562"}, {"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-5014"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.52.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "golang.org/x/crypto/ssh", "source": "cna", "vendor": "golang.org/x/crypto"}, "product": "ssh", "vendor": "golang"}], "created": "2026-05-22T05:00:11.829407+00:00", "updated": "2026-06-02T17:30:13.882856+00:00", "vendors": ["golang", "golang$PRODUCT$ssh"], "weaknesses": ["CWE-284", "CWE-295"]}