{"uuid": "5ccd09fa-ef60-47d9-b6dc-3ca3ab2891ae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39828", "type": "seen", "source": "https://gist.github.com/alon710/0c57746e41348ce39fa4a70a8b089dd8", "content": "# CVE-2026-39828: CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass\n\n> **CVSS Score:** 6.3\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39828\n\n## Summary\nA critical security bypass vulnerability was discovered in the Go SSH server implementation within the golang.org/x/crypto/ssh package. When an SSH server authentication callback returned a PartialSuccessError alongside non-nil Permissions, the server silently discarded these permissions before the subsequent authentication step. Consequently, once the user completed the second-factor authentication, the session-level restrictions were dropped, granting the client unauthorized capabilities.\n\n## TL;DR\nA session state vulnerability in Go's SSH server package allows clients to bypass certificate restrictions (such as forced commands or client source IP bounds) during multi-factor authentication, resulting in unauthorized unrestricted access.\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Primary), CWE-295\n- **Attack Vector**: Network\n- **CVSS v3.1**: 6.3\n- **EPSS Score**: 0.00175 (7.12% percentile)\n- **Impact**: Authorization Bypass / Privilege Escalation\n- **Exploit Status**: None (No active public exploits)\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Custom SSH servers built with golang.org/x/crypto/ssh\n- Go-based SSH portals and jump servers\n- Go-based bastion hosts and network gateway controls\n- **golang.org/x/crypto**: < v0.52.0 (Fixed in: `v0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto module to version v0.52.0 or newer\n- Modify custom SSH server authentication callbacks to return nil permissions with PartialSuccessError\n- Enforce intermediate verification checks in custom Go SSH connection loops\n\n**Remediation Steps:**\n1. Run 'go get golang.org/x/crypto@v0.52.0' in the project directory\n2. Execute 'go mod tidy' to update go.sum and dependencies\n3. Verify that the project compiles and run existing SSH unit tests\n4. Review custom 'VerifiedPublicKeyCallback' or 'PublicKeyCallback' structures in custom SSH servers to ensure they return nil permissions during partial success\n5. Deploy the rebuilt SSH server binary to staging and production environments\n\n## References\n\n- [Go Issue Tracker Thread #79562](https://go.dev/issue/79562)\n- [Gerrit Code Review / Code Patch](https://go.dev/cl/781621)\n- [Go Vulnerability Advisory GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014)\n- [Golang Announce Mailing List](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39828) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T09:43:16.361701Z"}