CVE-2026-39832

high

Description

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39832.json

https://pkg.go.dev/vuln/GO-2026-5006

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://go.dev/issue/79435

https://go.dev/cl/778642

https://bugzilla.redhat.com/show_bug.cgi?id=2480685

https://access.redhat.com/security/cve/CVE-2026-39832

https://access.redhat.com/errata/RHSA-2026:35833

Details

Source: Mitre, NVD

Published: 2026-05-22

Updated: 2026-07-06

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.0003