CVE-2026-39833 - Go x/crypto ssh agent confirm constraint bypass

golang.org/x/crypto/ssh/agent before 0.52.0 lets NewKeyring() accept keys with the ConfirmBeforeUse constraint but never actually enforce that confirmation. Keys sign immediately, and callers receive no signal that the constraint is ineffective.

This is a key-usage authorization failure for Go code that assumes in-memory agent keyrings honor confirmation prompts.

When to use it

Use this recipe when a Go service, CLI, Git helper, deployment tool, or agent runner uses golang.org/x/crypto/ssh/agent and relies on confirm constraints to require user approval before private-key signing. It is designed for source-code remediation, SSH agent trust-boundary review, key-use approval testing, and evidence that constrained keys cannot sign without confirmation.

Inputs

  • golang.org/x/crypto version, Go module/vendor state, SSH agent usage, forwarded-agent paths, key constraints, CLI/server call sites, and generated dependency or SBOM reports.
  • Source paths that call agent.Sign, Signers, agent forwarding, Git/SSH operations, deploy helpers, or automation that can request signatures.
  • Regression fixtures for constrained keys, unconstrained keys, confirm required, denied confirmation, allowed confirmation, and no real private-key material in tests.
  • Boundary evidence: private-key scope, forwarded agents, deploy/repository access, operator workflows, logs, key rotation owner, and rollout owner.

Affected versions

  • Vulnerable: golang.org/x/crypto/ssh/agent <0.52.0
  • Fixed: 0.52.0+
  • Affected surface: in-memory agent keyrings created with NewKeyring()

Indicator-of-exposure

  • The repository resolves golang.org/x/crypto <0.52.0.
  • Code uses ssh/agent.NewKeyring().
  • Security policy expects ConfirmBeforeUse to require explicit approval before signing.

Quick checks:

rg -n "NewKeyring\\(|ConfirmBeforeUse|ConstraintExtension|ssh/agent" .
go list -m all | rg "golang.org/x/crypto"

Windows:

rg -n "NewKeyring\\(|ConfirmBeforeUse|ConstraintExtension|ssh/agent" .
go list -m all | rg "golang.org/x/crypto"

Remediation strategy

  • Upgrade golang.org/x/crypto to 0.52.0+.
  • Reject unsupported key constraints rather than silently accepting them.
  • Audit whether any repository-owned workflows assumed confirmation prompts were being enforced.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-39833 / GHSA-jppx-rxg9-jmrx in Go ssh-agent code.
`NewKeyring()` accepts confirm-before-use constraints but does not enforce
them. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades `golang.org/x/crypto`,
  hardens keyring constraint handling, adds regression tests, and documents
  operator follow-up, or
- TRIAGE.md if this repository does not control an affected agent keyring path.

## Rules

- Scope only CVE-2026-39833 and directly related keyring constraint handling.
- Treat private keys, agent sockets, and approval workflows as sensitive.
- Do not use production signing keys for validation.
- Do not auto-merge.

## Steps

1. Inventory every Go module and binary controlled here that uses
   `golang.org/x/crypto/ssh/agent`.
2. Confirm whether any resolved version is `<0.52.0`.
3. Trace `NewKeyring()` usage and any policy that relies on
   `ConfirmBeforeUse`.
4. If no affected path is controlled here, stop with `TRIAGE.md`.
5. Upgrade to `0.52.0+` and refresh module metadata and images.
6. Add regression tests proving unsupported confirm constraints fail closed.
7. Review any workflow that assumed local signing required interactive
   confirmation.
8. Add a PR body section named `CVE-2026-39833 operator actions` covering
   versions before and after, keyring paths reviewed, and validation that
   passed.
9. Run available validation: `go test`, builds, and dependency/security scans.
10. Use PR title:
    `fix(sec): remediate Go ssh-agent confirm constraint bypass`.

Output contract

  • A reviewer-ready PR or change request that upgrades golang.org/x/crypto, refreshes modules/vendor state, adds confirm-constraint regression tests, and documents SSH key/agent exposure review.
  • Or a TRIAGE.md file that lists inspected modules/call sites, owner, observed version, SSH agent trust boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not use real private keys, request live signatures, expose agent sockets, or weaken deploy key controls.

Verification - what the reviewer looks for

  • No controlled binary resolves golang.org/x/crypto/ssh/agent <0.52.0.
  • Keyrings do not silently accept unsupported confirm constraints.
  • Regression tests prove unsafe key additions fail closed.

Watch for

  • Assuming agent UX implies confirmation was enforced.
  • Updating one keyring path while helper binaries still vendor the old module.

References