CVE Catalog

CVE-2026-39828

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile - higher than 23% of all known CVEs

Summary

A vulnerability in SSH server implementation causes permissions to be silently discarded when an authentication callback returns PartialSuccessError with non-nil Permissions. This can bypass certificate restrictions like force-command after a second factor succeeds.

Risk Assessment

The organization risks that users after successful multi-factor authentication may bypass certificate-imposed restrictions, potentially leading to unauthorized command execution or privilege escalation.

Recommendation

Immediately update the library/program to a version where returning non-nil Permissions with PartialSuccessError results in a connection error, as per the fix.

Original NVD description (English source)

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS