Skip to content

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11504#2863

Open
divyansh42 wants to merge 1 commit into
release-v0.43.1from
fix/SRVKP-11504-cve-2026-34986-go-jose-v4-release-v0.43.1-attempt-1
Open

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11504#2863
divyansh42 wants to merge 1 commit into
release-v0.43.1from
fix/SRVKP-11504-cve-2026-34986-go-jose-v4-release-v0.43.1-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 13, 2026

Summary

This PR fixes CVE-2026-34986 by upgrading github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4.

CVE Details

  • CVE ID: CVE-2026-34986
  • GHSA: GHSA-78h2-9frx-2jm8
  • Package: github.com/go-jose/go-jose/v4
  • Severity: HIGH
  • Impact: Denial of Service via crafted JSON Web Encryption (JWE) object — panics in JWE decryption
  • Vulnerable versions: < 4.1.4
  • Fixed version: v4.1.4
  • Jira Issue: SRVKP-11504

Changes

  • go.mod: Updated github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4
  • go.sum: Updated checksums
  • vendor/: Synced via go mod vendor

Verification

  • go mod tidy — passed
  • go mod verify — all modules verified
  • go mod vendor — synced cleanly

Breaking Changes

None. Patch-level upgrade within v4.1.x.

Risk Assessment

Factor Assessment
Change scope Minimal — single indirect dependency patch bump
Breaking changes None
Risk level Low

Generated by CVE Fixer Workflow

Security fix: update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to address CVE-2026-34986

Made with Cursor

@divyansh42 @claude @cursoragent
fix(cve): CVE-2026-34986 - go-jose/go-jose/v4
ff83c98 
- Update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4
- Addresses denial of service vulnerability via crafted JWE object
- go mod tidy && go mod verify passed
- go mod vendor synced

Resolves: SRVKP-11504

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label May 13, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vinamra28 after the PR has been reviewed.
You can assign the PR to them by writing /assign @vinamra28 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 13, 2026
@divyansh42
Copy link
Copy Markdown
Member Author

divyansh42 commented May 13, 2026

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

@pratap0007 pratap0007 Awaiting requested review from pratap0007

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot