CVE-2026-39828
published 2026-05-22CVE-2026-39828: When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially…
PriorityP337medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.22%
12.5th percentile
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Affected
193 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| advanced-cluster-security | rhacs-rhel8-operator | — | — |
| advanced-cluster-security | rhacs-roxctl-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel8 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-acmesolver-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-security-profiles-operator-bundle | — | — |
| compliance | openshift-security-profiles-rhel8-operator | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-native-virtualization | virt-artifacts-server-rhel9 | — | — |
| container-native-virtualization | virt-controller-rhel9 | — | — |
| container-native-virtualization | virt-exportproxy-rhel9 | — | — |
| container-native-virtualization | virt-exportserver-rhel9 | — | — |
| container-native-virtualization | virt-handler-rhel9 | — | — |
| container-native-virtualization | virt-launcher-rhel9 | — | — |
| container-native-virtualization | virt-operator-rhel9 | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| devspaces | traefik-rhel9 | — | — |
| devworkspace | devworkspace-project-clone-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| external-secrets-operator | external-secrets-rhel9 | — | — |
| golang.org | x_crypto_golang.org_x_crypto_ssh | < 0.52.0 | 0.52.0 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions
ghsa·2026-06-25
CVE-2026-39828 [MEDIUM] CWE-295 golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions
golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
VulDB
x-crypto up to 0.51.x on Go SSH Authentication Call authorization (WID-SEC-2026-1653)
vuldb·2026-05-23
CVE-2026-39828 [LOW] x-crypto up to 0.51.x on Go SSH Authentication Call authorization (WID-SEC-2026-1653)
A vulnerability has been found in x-crypto up to 0.51.x on Go and classified as problematic. Affected by this vulnerability is an unknown functionality of the component SSH Authentication Call Handler. The manipulation leads to incorrect authorization.
This vulnerability is listed as CVE-2026-39828. The attack may be initiated remotely. There is no available exploit.
The affected component should be upgraded.
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
vendor_redhat·2026-05-22·CVSS 6.3
CVE-2026-39828 [MEDIUM] CWE-281 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentica
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-39828 gopass-jsonapi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 gopass-jsonapi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 gopass-jsonapi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 DankMaterialShell: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 DankMaterialShell: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 DankMaterialShell: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 tailscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 tailscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 tailscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 ollama: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 ollama: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 ollama: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-x-crypto: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-x-crypto: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-x-crypto: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o1.33: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o1.33: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o1.33: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 apptainer: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 apptainer: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 apptainer: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Apptainer does not use server-side ssh from the crypto library so this vulnerability is not applicable
Bugzilla
CVE-2026-39828 doctl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 doctl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 doctl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 forgejo-runner: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 forgejo-runner: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 forgejo-runner: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 forgejo: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 forgejo: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 forgejo: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 nuclei: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 nuclei: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 nuclei: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o1.32: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o1.32: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o1.32: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 chezmoi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 chezmoi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 chezmoi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 gh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 gh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 gh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 restic: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 restic: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 restic: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.35: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.35: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.35: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 transifex-client: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 transifex-client: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 transifex-client: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
I just recently fixed this in rawhide with caddy-2.11.4-1.fc45. All other fedora branches are affected.
Bugzilla
CVE-2026-39828 vagrant: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 vagrant: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 vagrant: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.31: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.31: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.31: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 singularity-ce: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 singularity-ce: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 singularity-ce: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-x-crypto: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-x-crypto: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 golang-x-crypto: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 age: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 age: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 age: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 forgejo-runner: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 forgejo-runner: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 forgejo-runner: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 google-guest-agent: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 google-guest-agent: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 google-guest-agent: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 podman: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 podman: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 podman: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
no Red Hat software affected.
Bugzilla
CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 docker-buildkit: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 docker-buildkit: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 docker-buildkit: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.34: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.34: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.34: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 buildah: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 buildah: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 buildah: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
CVE page says no Red Hat software affected.
Bugzilla
CVE-2026-39828 singularity-ce: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 singularity-ce: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 singularity-ce: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o1.35: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o1.35: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o1.35: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 rootlesskit: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 rootlesskit: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 rootlesskit: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-github-acme-lego: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-acme-lego: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-acme-lego: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.30: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.30: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.30: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 docker-compose: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 docker-compose: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 docker-compose: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 nng: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 nng: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 nng: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 matterbridge: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 matterbridge: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 matterbridge: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 clash-meta: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 clash-meta: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 clash-meta: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 chezmoi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 chezmoi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 chezmoi: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 inspektor-gadget: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 inspektor-gadget: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 inspektor-gadget: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 vhs: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 vhs: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 vhs: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 opentofu: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 opentofu: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 opentofu: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 pack: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 pack: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 pack: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 gopass-hibp: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 gopass-hibp: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 gopass-hibp: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o1.31: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o1.31: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o1.31: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o1.34: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o1.34: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o1.34: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 openbao: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 openbao: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 openbao: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not use ssh/agent from the crypto library so this vulnerability is not applicable
Bugzilla
CVE-2026-39828 golang-github-git-5: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-git-5: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-git-5: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 trayscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 trayscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 trayscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 complyctl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 complyctl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 complyctl: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 restic: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 restic: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 restic: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 trivy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 trivy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 trivy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 age: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 age: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 age: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 gopass: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 gopass: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 gopass: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.32: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.32: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.32: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 headscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 headscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 headscale: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 nuclei: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 nuclei: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 nuclei: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 clash-meta: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 clash-meta: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 clash-meta: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 pack: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 pack: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 pack: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.33: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.33: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.33: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 docker-buildx: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 docker-buildx: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 docker-buildx: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 gh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 gh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 gh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 apptainer: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 apptainer: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 apptainer: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Apptainer does not use server-side ssh from the crypto library so this vulnerability is not applicable
Bugzilla
CVE-2026-39828 openbao: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 openbao: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 openbao: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not use ssh/agent from the crypto library so this vulnerablity is not applicable
Bugzilla
CVE-2026-39828 nebula: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 nebula: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 nebula: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 gvisor-tap-vsock: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 gvisor-tap-vsock: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 gvisor-tap-vsock: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 moby-engine: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 moby-engine: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 moby-engine: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cheat: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cheat: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cheat: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 hcloud: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 hcloud: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 hcloud: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 k9s: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 k9s: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 k9s: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 cri-o1.30: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 cri-o1.30: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 cri-o1.30: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 forgejo: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 forgejo: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 forgejo: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 kubernetes1.36: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 kubernetes1.36: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 kubernetes1.36: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 matterbridge: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 matterbridge: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 matterbridge: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 incus: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 incus: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 incus: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 containers-common: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 containers-common: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
CVE-2026-39828 containers-common: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
no go src or bin shipped. Also, CVE page says Red Hat software not affected.
Bugzilla
CVE-2026-39828 trivy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
bugzilla·2026-06-17·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 trivy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
CVE-2026-39828 trivy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
bugzilla·2026-05-22·CVSS 6.3
CVE-2026-39828 [MEDIUM] CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
https://go.dev/cl/781621https://go.dev/issue/79562https://groups.google.com/g/golang-announce/c/a082jnz-LvIhttps://pkg.go.dev/vuln/GO-2026-5014https://access.redhat.com/security/cve/CVE-2026-39828https://bugzilla.redhat.com/show_bug.cgi?id=2480687https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39828.json
2026-05-22
Published