CVE-2026-39828 Overview
CVE-2026-39828 affects the Go golang.org/x/crypto/ssh package. When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, the server silently discarded those permissions. This behavior could drop certificate restrictions such as force-command after a second authentication factor succeeded. An authenticated client could bypass intended certificate-bound command restrictions during multi-factor SSH authentication flows.
The fix changes the behavior so that returning non-nil Permissions together with PartialSuccessError now produces a connection error. The issue is tracked as GO-2026-5014 in the Go vulnerability database.
Critical Impact
Authenticated SSH clients could evade certificate-enforced restrictions like force-command, expanding the effective privilege granted by an SSH certificate after multi-factor authentication.
Affected Products
- Go golang.org/x/crypto/ssh package (server-side SSH implementations)
- Applications embedding the Go SSH library that use PartialSuccessError in authentication callbacks
- Multi-factor SSH server deployments relying on certificate force-command or source-address restrictions
Discovery Timeline
- 2026-05-22 - CVE-2026-39828 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-39828
Vulnerability Analysis
The Go x/crypto/ssh server framework supports multi-step authentication. Callbacks can return PartialSuccessError to signal that one factor succeeded but additional authentication is required. The Permissions struct conveys SSH certificate constraints, including force-command, source-address restrictions, and other CriticalOptions and Extensions.
The server logic discarded any Permissions value attached to a PartialSuccessError return. Once the subsequent authentication factor completed, the connection proceeded without the constraints established during the first factor. A client presenting an SSH certificate bound to a restricted command could therefore obtain an unrestricted shell after completing the second factor.
The defect is a logic flaw in authentication state handling, classified as Broken Access Control. It does not require memory corruption or cryptographic weaknesses to exploit.
Root Cause
The server-side authentication loop in x/crypto/ssh did not propagate the Permissions field from a partial-success return into the connection's final permission set. Certificate-derived restrictions established during the first authentication step were lost when the loop moved to the next factor.
Attack Vector
An attacker needs valid credentials for at least one authentication factor and a usable SSH certificate. The attacker connects to a server that uses PartialSuccessError in its authentication callbacks and supplies the second factor. Restrictions encoded in the certificate, such as force-command=/usr/bin/restricted-tool, are not enforced on the resulting session.
The vulnerability mechanism is described in the Go Vulnerability Report GO-2026-5014 and the upstream Go Development Change Log. No public proof-of-concept exploit is available.
Detection Methods for CVE-2026-39828
Indicators of Compromise
- SSH sessions where an authenticated user executes commands outside the force-command value bound to their certificate
- Authentication audit logs showing partial-success returns followed by full session establishment without restriction enforcement
- Process execution on SSH hosts that does not match the expected restricted command for certificate-authenticated users
Detection Strategies
- Inventory Go binaries and services that import golang.org/x/crypto/ssh and review whether authentication callbacks return PartialSuccessError with Permissions populated
- Compare expected per-certificate force-command values against actual executed commands captured in shell or auditd logs
- Use software composition analysis to flag builds linking vulnerable versions of golang.org/x/crypto/ssh referenced in GO-2026-5014
Monitoring Recommendations
- Forward SSH server authentication and session-start events to a centralized logging pipeline for correlation
- Alert on certificate-authenticated SSH sessions that spawn child processes outside an allow-list
- Track post-patch behavior: connections that previously succeeded but now return an authentication error indicate code paths that relied on the broken behavior
How to Mitigate CVE-2026-39828
Immediate Actions Required
- Update golang.org/x/crypto/ssh to the fixed version referenced in GO-2026-5014 and rebuild affected services
- Audit authentication callbacks for any path that returns PartialSuccessError with a non-nil Permissions value, and remove the Permissions assignment
- Re-verify enforcement of certificate force-command and source-address restrictions after deploying the patched binaries
Patch Information
The upstream fix is published in the Go Development Change Log and announced via the Golang Announce Group Post. Tracking details are available in the Go Development Issue Report. Operators should rebuild and redeploy all Go services that embed the SSH server library.
Workarounds
- Avoid returning PartialSuccessError with a populated Permissions field until upgrading; rely on the final authentication step to set permissions
- Enforce force-command and other certificate restrictions at a second layer, such as a restricted shell or PAM-based command filtering on the host
- Require source-address checks at the network layer when SSH certificate source-address cannot be relied upon
# Configuration example: update the Go SSH dependency to the patched release
go get golang.org/x/crypto@latest
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
