Skip to content

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11490#2858

Open
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/SRVKP-11490-cve-2026-34986-github.com-go-jose-go-jose-v4-release-v0.42.2-attempt-1
Open

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11490#2858
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/SRVKP-11490-cve-2026-34986-github.com-go-jose-go-jose-v4-release-v0.42.2-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 13, 2026

Summary

This PR fixes CVE-2026-34986 by upgrading github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4.

CVE Details

  • CVE ID: CVE-2026-34986
  • GHSA: GHSA-78h2-9frx-2jm8
  • Package: github.com/go-jose/go-jose/v4
  • Severity: HIGH
  • Impact: Denial of Service via crafted JSON Web Encryption (JWE) object — panics in JWE decryption
  • Vulnerable versions: < 4.1.4
  • Fixed version: v4.1.4
  • Jira Issue: SRVKP-11490

Changes

  • go.mod: Updated github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4
  • go.sum: Updated checksums
  • vendor/: Synced via go mod vendor

Test Results

Status: Passed (1 pre-existing failure unrelated to this change)

Test command: go test ./...
Result: All packages passed except pkg/formatted (pre-existing TestDecoration failure due to terminal ANSI escape code handling — not related to go-jose)

Breaking Changes

None. This is a patch-level upgrade within the same minor version (v4.1.x). No API changes.

Verification

  • go mod tidy — passed
  • go mod verify — all modules verified
  • go mod vendor — synced cleanly

Testing Checklist

  • Pre-PR automated tests executed
  • Verify CVE is resolved with security scan
  • Test affected functionality manually

Risk Assessment

Factor Assessment
Change scope Minimal — single indirect dependency patch bump
Breaking changes None
Test coverage Good — all tests pass (1 pre-existing unrelated failure)
Risk level Low

Generated by CVE Fixer Workflow

Security fix: update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to address CVE-2026-34986

Made with Cursor

@divyansh42 @claude @cursoragent
fix(cve): CVE-2026-34986 - go-jose/go-jose/v4
6858a77 
- Update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4
- Addresses denial of service vulnerability via crafted JWE object
- go mod tidy && go mod verify passed
- go mod vendor synced

Resolves: SRVKP-11490

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label May 13, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign chmouel after the PR has been reviewed.
You can assign the PR to them by writing /assign @chmouel in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chmouel chmouel Awaiting requested review from chmouel

@pratap0007 pratap0007 Awaiting requested review from pratap0007

@vdemeester vdemeester Awaiting requested review from vdemeester

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot