OCPBUGS-84565: Fix CVE-2026-34986

[pablintino]

Closes: #OCPBUGS-84406

- What I did

This change bumps go-jose to the version that fixes the CVE-2026-34986.

- How to verify it

CI e2e's are enough to verify this dependency bump.

- Description for the changelog

This change bumps go-jose to the version that fixes the CVE-2026-34986.

Summary by CodeRabbit

• Chores
  • Updated an indirect dependency to a newer version, which may include bug fixes and improvements from the upstream library.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-84406, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: #OCPBUGS-84406

- What I did

This change bumps go-jose to the version that fixes the CVE-2026-34986.

- How to verify it

CI e2e's are enough to verify this dependency bump.

- Description for the changelog

This change bumps go-jose to the version that fixes the CVE-2026-34986.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bea44bbb-8c7f-47a9-8b98-63d66465265e

📥 Commits

Reviewing files that changed from the base of the PR and between e0916a2 and b6fe2a6.

⛔ Files ignored due to path filters (13)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/asymmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/crypter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/signing.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

---

Walkthrough

An indirect dependency github.com/go-jose/go-jose/v4 is updated from version v4.0.5 to v4.1.4 in the module file, with no other changes to the dependency graph.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Updated indirect dependency github.com/go-jose/go-jose/v4 from v4.0.5 to v4.1.4

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references OCPBUGS-84565 but the PR description and branch indicate OCPBUGS-84406, creating a mismatch. However, the core intent of fixing CVE-2026-34986 through the go-jose dependency bump is accurate and clearly stated.	Correct the issue reference in the title from OCPBUGS-84565 to OCPBUGS-84406 to match the PR metadata and description.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The pull request only modifies the go.mod file to update a dependency version with no changes to test files or Ginkgo test definitions, making the custom check for stable test names not applicable.
Test Structure And Quality	✅ Passed	The custom check evaluates Ginkgo test code quality, but this PR only contains a dependency version bump with no test code modifications.
Microshift Test Compatibility	✅ Passed	The PR only updates a dependency version in go.mod and does not add or modify any Ginkgo e2e tests, making the MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates go.mod dependency (go-jose/v4) to fix CVE-2026-34986; no new e2e tests added, so SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates go.mod dependency version for go-jose/v4 without modifying deployment manifests, operator code, or controllers.
Ote Binary Stdout Contract	✅ Passed	The custom check for OTE Binary Stdout Contract violations is not applicable to this pull request. The PR exclusively modifies go.mod to update a single dependency version without introducing or modifying any Go source code files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; it only updates a dependency version and removes IRI-related functionality.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pablintino]

/retitle OCPBUGS-84565: Fix CVE-2026-34986

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-84565, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: #OCPBUGS-84406

- What I did

This change bumps go-jose to the version that fixes the CVE-2026-34986.

- How to verify it

CI e2e's are enough to verify this dependency bump.

- Description for the changelog

This change bumps go-jose to the version that fixes the CVE-2026-34986.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/jira-refresh

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-84565, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Closes: #OCPBUGS-84406

- What I did

This change bumps go-jose to the version that fixes the CVE-2026-34986.

- How to verify it

CI e2e's are enough to verify this dependency bump.

- Description for the changelog

This change bumps go-jose to the version that fixes the CVE-2026-34986.

Summary by CodeRabbit

• Chores
• Updated an indirect dependency to a newer version, which may include bug fixes and improvements from the upstream library.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[umohnani8]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pablintino, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pablintino,umohnani8]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[isabella-janssen]

/retest-required

[pablintino]

/retest-required
/verified by @pablintino
CI e2e's is enough verification for this change.

[openshift-ci-robot]

@pablintino: This PR has been marked as verified by @pablintino.

Details

In response to this:

/retest-required
/verified by @pablintino
CI e2e's is enough verification for this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 89245a0 and 2 for PR HEAD b6fe2a6 in total

[isabella-janssen]

/test e2e-gcp-op-single-node

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 19bf44b and 1 for PR HEAD b6fe2a6 in total

[pablintino]

/retest-required

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD b9964db and 0 for PR HEAD b6fe2a6 in total

[openshift-merge-bot]

/hold

Revision b6fe2a6 was retested 3 times: holding

[isabella-janssen]

/unhold

[isabella-janssen]

/test e2e-aws-ovn-upgrade

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 384e6fa and 2 for PR HEAD b6fe2a6 in total

[openshift-ci]

@pablintino: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@pablintino: Jira Issue Verification Checks: Jira Issue OCPBUGS-84565
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-84565 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Closes: #OCPBUGS-84406

- What I did

This change bumps go-jose to the version that fixes the CVE-2026-34986.

- How to verify it

CI e2e's are enough to verify this dependency bump.

- Description for the changelog

This change bumps go-jose to the version that fixes the CVE-2026-34986.

Summary by CodeRabbit

• Chores
• Updated an indirect dependency to a newer version, which may include bug fixes and improvements from the upstream library.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@pablintino: new pull request created: #5986

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.