Skip to content

Security: Fix CVE-2026-34986 (go-jose v4.1.3→v4.1.4) SRVKP-11491#1667

Open
jkhelil wants to merge 1 commit into
release-v0.20.xfrom
fix/SRVKP-11491-cve-2026-34986-go-jose-release-v0.20.x-attempt-1
Open

Security: Fix CVE-2026-34986 (go-jose v4.1.3→v4.1.4) SRVKP-11491#1667
jkhelil wants to merge 1 commit into
release-v0.20.xfrom
fix/SRVKP-11491-cve-2026-34986-go-jose-release-v0.20.x-attempt-1

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented May 13, 2026

Summary

This PR fixes CVE-2026-34986 by upgrading github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 on the release-v0.20.x branch (pipelines-1.15).

CVE Details

  • CVE ID: CVE-2026-34986
  • GHSA ID: GHSA-78h2-9frx-2jm8
  • Package: github.com/go-jose/go-jose/v4
  • Severity: Critical
  • Impact: Panic (Denial of Service) in JWE decryption via crafted input
  • Vulnerable versions: < v4.1.4
  • Fixed version: v4.1.4
  • Jira Issues: SRVKP-11491

Fix Description

Minimal same-minor-line patch upgrade: v4.1.3 → v4.1.4. The v4.1.4 release contains fixes in crypter.go, asymmetric.go, and cipher/key_wrap.go that prevent panics when decrypting maliciously crafted JWE tokens.

Note: This is a backport fix for release-v0.20.x (pipelines-1.15). The main branch fix is tracked in SRVKP-11491 which is already in Release Pending.

Test Results

Status: ⚠️ PARTIAL - tests timed out after 5 minutes, but build and vet passed

Build: ✅ go build ./cmd/... - passed
Vet: ✅ go vet ./pkg/... ./internal/... - passed
Unit tests: ⏱️ Timed out after 5 minutes (test suite is long-running)

  • github.com/tektoncd/chains/pkg/artifacts - PASSED before timeout

Note: Timeout is expected for the full suite in this environment. Build and vet success confirms the fix compiles and has no static issues.

Changes

  • go.mod: github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4
  • go.sum: Updated checksums
  • vendor/: Updated vendored files for go-jose v4.1.4 (3 files changed)

Breaking Changes

None. This is a patch-level upgrade within the same minor version (v4.1.x). The API is fully compatible.

Verification Steps

  • Confirm CVE-2026-34986 is resolved by running govulncheck
  • Review changes in go-jose v4.1.4 (asymmetric.go, cipher/key_wrap.go, symmetric.go)
  • Run CI/CD tests to confirm no regression

Risk Assessment

Factor Assessment
Version change Patch (v4.1.3 → v4.1.4)
API compatibility ✅ Fully compatible
Test coverage Build/vet passed; full suite timed out
Overall risk Low - minimal patch upgrade

🤖 Generated by CVE Fixer Workflow

Security fix: update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to address CVE-2026-34986 (JWE panic/DoS)

@jkhelil @claude
fix(cve): CVE-2026-34986 - github.com/go-jose/go-jose/v4
d0d00f4 
- Update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4
- Addresses panic vulnerability in JWE decryption (CVE-2026-34986)
- go-jose v4.1.4 contains the security fix in crypter.go (GHSA-78h2-9frx-2jm8)
- Minimal same-minor-line patch upgrade

Resolves: SRVKP-11491

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 13, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label May 14, 2026
@anithapriyanatarajan anithapriyanatarajan added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2026
@tekton-robot
Copy link
Copy Markdown

tekton-robot commented May 14, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chitrangpatel chitrangpatel Awaiting requested review from chitrangpatel

@lcarva lcarva Awaiting requested review from lcarva

At least 1 approving review is required to merge this pull request.

Assignees

@anithapriyanatarajan anithapriyanatarajan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkhelil @anithapriyanatarajan @tekton-robot