CVE-2026-39831: FIDO/U2F Auth Bypass Vulnerability

CVE-2026-39831 Overview

CVE-2026-39831 affects the Go golang.org/x/crypto/ssh package. The Verify() method for FIDO and Universal 2nd Factor (U2F) security key types (sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com) did not check the User Presence flag. SSH servers built with the affected library accepted signatures generated without a physical touch on the hardware authenticator. This allows unattended use of a FIDO/U2F security key, breaking a core assumption of hardware-backed multi-factor authentication.

Critical Impact

SSH servers using the affected Go library accept FIDO/U2F signatures produced without user presence, enabling silent reuse of a hardware key by an attacker with access to the signing flow.

Affected Products

• Go golang.org/x/crypto/ssh package (server-side Verify() for FIDO/U2F keys)
• Applications consuming sk-ecdsa-sha2-nistp256@openssh.com keys via the Go SSH library
• Applications consuming sk-ssh-ed25519@openssh.com keys via the Go SSH library

Discovery Timeline

• 2026-05-22 - CVE-2026-39831 published to the National Vulnerability Database (NVD)
• 2026-05-22 - Last updated in NVD database
• GO-2026-5019 - Tracked by the Go vulnerability database

Technical Details for CVE-2026-39831

Vulnerability Analysis

The vulnerability resides in the SSH signature verification path for FIDO/U2F security key algorithms in golang.org/x/crypto/ssh. FIDO/U2F SSH signatures include flag bits that indicate whether the user physically interacted with the authenticator. The User Presence (UP) bit, when set, signals that a human touched the key during signing. The affected Verify() implementation accepted the signature regardless of the UP bit state.

As a result, an attacker who can drive the authenticator, for example through a compromised host with the key still inserted or through a malicious client process, can produce valid SSH authentications without any physical interaction. This converts a possession-and-presence factor into a possession-only factor. The fix enforces the User Presence flag by default and provides a no-touch-required extension in Permissions.Extensions from PublicKeyCallback for callers that intentionally allow touchless keys.

Root Cause

The root cause is a missing input validation check [CWE-20] in the FIDO/U2F signature verification logic. The Verify() method parsed the signature blob but did not assert that the User Presence flag was set before returning success. The flag was effectively treated as informational rather than as a security-relevant condition.

Attack Vector

Exploitation requires the attacker to reach the SSH authentication flow with a valid hardware-backed public key registered for a target account. An adversary with code execution on a host where the security key is connected, or with the ability to relay signing requests, can request signatures without prompting the user. The vulnerable server accepts these unattended signatures and grants access. The attack is network-reachable against any SSH service built on the affected library that enforces FIDO/U2F keys as a presence factor.

No verified proof-of-concept code is published. See the Go.dev Issue #79566 and Go.dev CL #781662 for technical details of the fix.

Detection Methods for CVE-2026-39831

Indicators of Compromise

• Successful SSH logins authenticated with sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com keys at times the user reports no physical interaction.
• Bursts of FIDO/U2F-backed SSH sessions from a single source within short intervals, inconsistent with manual touch cadence.
• Authentication events from hosts where the security key is known to be left inserted unattended.

Detection Strategies

• Inventory Go binaries and services that import golang.org/x/crypto/ssh and identify versions predating the fix referenced in GO-2026-5019.
• Correlate SSH sk-* key authentication events with endpoint telemetry that indicates user activity, such as keyboard or HID input on the host holding the key.
• Alert on FIDO/U2F SSH authentications that occur outside expected user working hours or from automated job hosts.

Monitoring Recommendations

• Enable verbose SSH server auditing to capture the key type and fingerprint for every accepted authentication.
• Forward SSH authentication logs to a centralized analytics platform and baseline per-user FIDO authentication frequency.
• Track issuance and use of keys carrying the no-touch-required option in authorized_keys and treat unexpected appearances as suspicious.

How to Mitigate CVE-2026-39831

Immediate Actions Required

• Upgrade golang.org/x/crypto to the fixed version identified in GO-2026-5019 and rebuild all dependent SSH server binaries.
• Audit authorized_keys files across the fleet and remove or scope any keys that should not permit touchless use.
• Rotate FIDO/U2F SSH credentials for high-value accounts if logs cannot rule out unattended use during the exposure window.

Patch Information

The fix is delivered in golang.org/x/crypto/ssh via the change in Go.dev CL #781662 and announced in the Golang Announce Post. After upgrading, the server enforces the User Presence flag by default. To restore the prior behavior intentionally for specific principals, return a no-touch-required extension in Permissions.Extensions from PublicKeyCallback.

Workarounds

• Restrict SSH access to bastion hosts and require interactive sessions for accounts using FIDO/U2F keys.
• Configure authorized_keys entries without the no-touch-required option so OpenSSH clients and compliant servers refuse touchless signatures.
• Require an additional authentication factor, such as a short-lived certificate, for accounts where the underlying Go-based SSH server cannot be upgraded immediately.

# Configuration example: update Go module and rebuild affected services
go get golang.org/x/crypto@latest
go mod tidy
go build ./...

# Verify no authorized_keys entries silently allow touchless use
grep -RnE 'no-touch-required' /home/*/.ssh/authorized_keys /etc/ssh/