Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2026-39828.md

Created June 26, 2026 09:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/0c57746e41348ce39fa4a70a8b089dd8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/0c57746e41348ce39fa4a70a8b089dd8 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2026-39828: CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass - CVE Security Report
Raw
CVE-2026-39828.md

CVE-2026-39828: CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass

CVSS Score: 6.3 Published: 2026-06-25 Full Report: https://cvereports.com/reports/CVE-2026-39828

Summary

A critical security bypass vulnerability was discovered in the Go SSH server implementation within the golang.org/x/crypto/ssh package. When an SSH server authentication callback returned a PartialSuccessError alongside non-nil Permissions, the server silently discarded these permissions before the subsequent authentication step. Consequently, once the user completed the second-factor authentication, the session-level restrictions were dropped, granting the client unauthorized capabilities.

TL;DR

A session state vulnerability in Go's SSH server package allows clients to bypass certificate restrictions (such as forced commands or client source IP bounds) during multi-factor authentication, resulting in unauthorized unrestricted access.

Technical Details

  • CWE ID: CWE-863 (Primary), CWE-295
  • Attack Vector: Network
  • CVSS v3.1: 6.3
  • EPSS Score: 0.00175 (7.12% percentile)
  • Impact: Authorization Bypass / Privilege Escalation
  • Exploit Status: None (No active public exploits)
  • KEV Status: Not listed

Affected Systems

  • Custom SSH servers built with golang.org/x/crypto/ssh
  • Go-based SSH portals and jump servers
  • Go-based bastion hosts and network gateway controls
  • golang.org/x/crypto: < v0.52.0 (Fixed in: v0.52.0)

Mitigation

  • Upgrade golang.org/x/crypto module to version v0.52.0 or newer
  • Modify custom SSH server authentication callbacks to return nil permissions with PartialSuccessError
  • Enforce intermediate verification checks in custom Go SSH connection loops

Remediation Steps:

  1. Run 'go get golang.org/x/crypto@v0.52.0' in the project directory
  2. Execute 'go mod tidy' to update go.sum and dependencies
  3. Verify that the project compiles and run existing SSH unit tests
  4. Review custom 'VerifiedPublicKeyCallback' or 'PublicKeyCallback' structures in custom SSH servers to ensure they return nil permissions during partial success
  5. Deploy the rebuilt SSH server binary to staging and production environments

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment