CVE-2026-39830

A high-severity vulnerability in golang.org/x/crypto/ssh (Go) affecting versions < 0.52.0. A fixed version is available in 0.52.0.

Summary

When an SSH server authentication callback returned PartialSuccessError, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded.

Impact

The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.52.0); upgrading removes the vulnerable code path.

Affected versions

golang.org/x/crypto/ssh (< 0.52.0)

Security releases

golang.org/x/crypto/ssh → 0.52.0 (go)

Successful exploitation allows a low-privileged remote attacker to bypass authorization controls that trust the affected code path. Real-world applications at risk include trusted-header SSO deployments, where exploitation could lead to full account takeover.

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade golang.org/x/crypto/ssh to 0.52.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. Is CVE-2026-39830 being exploited in the wild? Exploitation likelihood is estimated by the EPSS score shown above. Runtime intelligence is what confirms whether the vulnerable path executes in your own environment.
  2. How do I know if my application is affected? Check whether the affected package and version are present, then whether the vulnerable code is reachable. Kodem determines both automatically.

Other vulnerabilities in golang.org/x/crypto/ssh

CVE-2025-22869CVE-2024-45337

Stop the waste.
Protect your environment with Kodem.