DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39828: CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass

#security #cve #cybersecurity

CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass

Vulnerability ID: CVE-2026-39828
CVSS Score: 6.3
Published: 2026-06-25

A critical security bypass vulnerability was discovered in the Go SSH server implementation within the golang.org/x/crypto/ssh package. When an SSH server authentication callback returned a PartialSuccessError alongside non-nil Permissions, the server silently discarded these permissions before the subsequent authentication step. Consequently, once the user completed the second-factor authentication, the session-level restrictions were dropped, granting the client unauthorized capabilities.

TL;DR

A session state vulnerability in Go's SSH server package allows clients to bypass certificate restrictions (such as forced commands or client source IP bounds) during multi-factor authentication, resulting in unauthorized unrestricted access.

Technical Details

  • CWE ID: CWE-863 (Primary), CWE-295
  • Attack Vector: Network
  • CVSS v3.1: 6.3
  • EPSS Score: 0.00175 (7.12% percentile)
  • Impact: Authorization Bypass / Privilege Escalation
  • Exploit Status: None (No active public exploits)
  • KEV Status: Not listed

Affected Systems

  • Custom SSH servers built with golang.org/x/crypto/ssh
  • Go-based SSH portals and jump servers
  • Go-based bastion hosts and network gateway controls
  • golang.org/x/crypto: < v0.52.0 (Fixed in: v0.52.0)

Code Analysis

Commit: b25012b

ssh: reject non-nil Permissions combined with PartialSuccessError

Mitigation Strategies

  • Upgrade golang.org/x/crypto module to version v0.52.0 or newer
  • Modify custom SSH server authentication callbacks to return nil permissions with PartialSuccessError
  • Enforce intermediate verification checks in custom Go SSH connection loops

Remediation Steps:

  1. Run 'go get golang.org/x/crypto@v0.52.0' in the project directory
  2. Execute 'go mod tidy' to update go.sum and dependencies
  3. Verify that the project compiles and run existing SSH unit tests
  4. Review custom 'VerifiedPublicKeyCallback' or 'PublicKeyCallback' structures in custom SSH servers to ensure they return nil permissions during partial success
  5. Deploy the rebuilt SSH server binary to staging and production environments

References

Read the full report for CVE-2026-39828 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)