The in-memory keyring returned by NewKeyring() silently
accepted keys with the ConfirmBeforeUse constraint but
never enforced it. The key would sign without any
confirmation prompt, with no indication to the caller
that the constraint was not in effect. NewKeyring()
now returns an error when unsupported constraints are
requested.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39833 and Go issue https://go.dev/issue/79436.
This was a PUBLIC track issue, tracked in http://b/503005088.
The in-memory keyring returned by NewKeyring() silently
accepted keys with the ConfirmBeforeUse constraint but
never enforced it. The key would sign without any
confirmation prompt, with no indication to the caller
that the constraint was not in effect. NewKeyring()
now returns an error when unsupported constraints are
requested.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39833 and Go issue https://go.dev/issue/79436.
This was a PUBLIC track issue, tracked in http://b/503005088.