New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
UNKNOWN Go

Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

GO-2026-5019 · CVE-2026-39831 · GHSA-89gr-r52h-f8rx

Published · Modified

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Ready to move

Start Securing

Free, no credit card | First findings in minutes