golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions
Moderate severity
GitHub Reviewed
Published
Jun 25, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Description
Published by the National Vulnerability Database
May 22, 2026
Published to the GitHub Advisory Database
Jun 25, 2026
Reviewed
Jun 25, 2026
Last updated
Jul 1, 2026
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
References