CVE-2026-39831: Authentication Bypass in golang.org/x/crypto/ssh via FIDO/U2F User Presence Bypass
Vulnerability ID: CVE-2026-39831
CVSS Score: 9.1
Published: 2026-06-25
An authentication bypass vulnerability was identified in the golang.org/x/crypto/ssh package. The library's verification logic for FIDO/U2F security keys failed to check the User Presence (UP) flag. This omission allows an attacker with access to a hardware token interface or an agent-forwarding socket to authenticate without physical user interaction.
TL;DR
The Go SSH library failed to verify the User Presence (UP) flag on FIDO/U2F hardware security keys, allowing authentication to proceed without the required physical tap or touch confirmation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-290
- Attack Vector: Network
- CVSS Base Score: 9.1
- EPSS Score: 0.00373
- Exploit Status: poc
- CISA KEV Status: Not Listed
Affected Systems
- Go services utilizing golang.org/x/crypto/ssh
- Go-based SSH jump servers or bastion hosts
- Custom SSH client applications built with the Go standard sub-repository
-
golang.org/x/crypto/ssh: < v0.52.0 (Fixed in:
v0.52.0)
Code Analysis
Commit: 781662
ssh: verify user presence for security key signatures
Mitigation Strategies
- Upgrade golang.org/x/crypto to version v0.52.0 or newer
- Disable SSH agent forwarding when connecting to untrusted hosts
- Enforce mandatory token-touch policies within upstream SSH server configurations
Remediation Steps:
- Run 'go get -u golang.org/x/crypto@v0.52.0' in your project root.
- Execute 'go mod tidy' to update go.sum and dependencies.
- Rebuild and redeploy all affected services, binaries, and proxies.
References
- Go Announcement Advisory (GO-2026-5019)
- Go Bug Tracker Issue #79566
- Official Gerrit Change List (CL 781662)
Read the full report for CVE-2026-39831 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)