CVE-2026-39832

Vulnerability Description

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

References

• https://go.dev/cl/778642
• https://go.dev/issue/79435
• https://groups.google.com/g/golang-announce/c/a082jnz-LvI
• https://pkg.go.dev/vuln/GO-2026-5006

FAQ

What is CVE-2026-39832?

CVE-2026-39832 is a documented vulnerability. When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwardi...

How severe is CVE-2026-39832?

CVSS scoring is not yet available for CVE-2026-39832. Check NVD for updates.

Is there a patch for CVE-2026-39832?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.