What is the CVSS score of CVE-2026-39833?

CVE-2026-39833 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of golang.org/x/crypto are affected by CVE-2026-39833?

Applications using Go's SSH agent library (golang.org/x/crypto/ssh/agent versions before 0.52.0) that implemented ConfirmBeforeUse controls to gate sensitive SSH key signing operations discover these…. A patch is available.

golang.org/x/crypto CVE-2026-39833

EUVD-2026-31389 CRITICAL

Missing Authorization (CWE-862)

2026-05-22 Go

Authentication Bypass Golang Org X Crypto Ssh Agent

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 15:07 vuln.today

CVSS changed

May 28, 2026 - 15:07 NVD

9.1 (None) 9.1 (CRITICAL)

Patch available

May 22, 2026 - 04:31 EUVD

CVE Published

May 22, 2026 - 02:31 nvd

UNKNOWN (no severity yet)

DescriptionNVD

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

AnalysisAI

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. …

RemediationAI

Within 24 hours: Conduct inventory of all Go applications using golang.org/x/crypto/ssh/agent dependency and document current versions in use. Within 7 days: Upgrade golang.org/x/crypto/ssh/agent to version 0.52.0 or later in all affected applications, rebuild, and stage for production deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39833 vulnerability details – vuln.today

Back

golang.org/x/crypto CVE-2026-39833

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code