Skip to content
Threat Feed
high advisory

CVE-2026-39832: Agent Constraints Dropped When Forwarding Keys in golang.org/x/crypto/ssh/agent

CVE-2026-39832 describes a vulnerability where agent constraints are dropped when forwarding keys in golang.org/x/crypto/ssh/agent, potentially leading to unauthorized access.

CVE-2026-39832 is a security vulnerability affecting golang.org/x/crypto/ssh/agent. The vulnerability stems from agent constraints being dropped during the forwarding of keys. This can occur in scenarios where an attacker gains control over an intermediary system involved in the SSH key forwarding process. The dropping of these constraints could allow an attacker to bypass intended restrictions and gain unauthorized access to resources protected by the forwarded key. The vulnerability has potential implications for systems relying on SSH key forwarding for secure access control. Defenders should investigate and apply necessary patches or mitigations.

Attack Chain

  1. Attacker compromises an intermediary system that is part of an SSH key forwarding chain.
  2. Victim initiates an SSH connection to a target system, utilizing key forwarding through the compromised intermediary.
  3. The compromised intermediary intercepts the forwarded key.
  4. Due to the vulnerability (CVE-2026-39832) in golang.org/x/crypto/ssh/agent, agent constraints associated with the forwarded key are dropped.
  5. The attacker, now in control of the intermediary, utilizes the forwarded key without the original constraints.
  6. The attacker bypasses intended access restrictions on the target system.
  7. Attacker gains unauthorized access to the target system with the privileges of the forwarded key.

Impact

Successful exploitation of CVE-2026-39832 can lead to unauthorized access to systems protected by SSH key forwarding. The dropping of agent constraints allows an attacker to bypass intended restrictions, potentially granting them elevated privileges and access to sensitive data. Depending on the access granted by the forwarded key, the impact could range from data breaches to complete system compromise.

Recommendation

  • Investigate patching golang.org/x/crypto/ssh/agent to address CVE-2026-39832 based on vendor advisories.
  • Deploy the Sigma rules provided below to detect potential exploitation attempts within your environment.

Detection coverage 2

Detect Suspicious SSH Agent Forwarding with Missing Constraints

medium

Detects CVE-2026-39832 exploitation -- SSH agent forwarding activity where key constraints are unexpectedly absent, potentially indicating exploitation of the vulnerability.

sigma tactics: initial_access techniques: T1570 sources: process_creation, linux

Detect SSH Connection with Agent Forwarding

low

Detects attempts to establish SSH connections with agent forwarding enabled, potentially indicating an attempt to exploit CVE-2026-39832.

sigma tactics: initial_access techniques: T1570 sources: network_connection, linux

Detection queries are available on the platform. Get full rules →