Primary

Context

Go FIDO/U2F Security Key User Presence Bypass Vulnerability

Vulnerability

A vulnerability exists in the Verify() method for FIDO/U2F security key types, specifically sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com. The issue arises because the method did not verify the User Presence flag, allowing signatures to be generated without physical interaction. This oversight enabled the unattended use of hardware security keys. The vulnerability affects Go versions prior to 0.52.0.

Impact

Exploitation of this vulnerability allows for the unattended use of hardware security keys, bypassing the required physical interaction.

Remediation

Users can update to Go version 0.52.0 or later, where this vulnerability has been fixed. Instructions for downloading the latest version of Go are available on the official Go website.

Added: May 22, 2026, 4:28 AM

Updated: May 22, 2026, 4:28 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

8.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

8.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go FIDO/U2F Security Key User Presence Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang.org/x/crypto/ssh

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating