CVE-2026-39828
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
A vulnerability in SSH server implementation causes permissions to be silently discarded when an authentication callback returns PartialSuccessError with non-nil Permissions. This can bypass certificate restrictions like force-command after a second factor succeeds.
Risk Assessment
The organization risks that users after successful multi-factor authentication may bypass certificate-imposed restrictions, potentially leading to unauthorized command execution or privilege escalation.
Recommendation
Immediately update the library/program to a version where returning non-nil Permissions with PartialSuccessError results in a connection error, as per the fix.
Original NVD description (English source)
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

