Skip to content

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11504#2863

Open
divyansh42 wants to merge 1 commit into
release-v0.43.1from
fix/SRVKP-11504-cve-2026-34986-go-jose-v4-release-v0.43.1-attempt-1
Open

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11504#2863
divyansh42 wants to merge 1 commit into
release-v0.43.1from
fix/SRVKP-11504-cve-2026-34986-go-jose-v4-release-v0.43.1-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 13, 2026

Summary

This PR fixes CVE-2026-34986 by upgrading github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4.

CVE Details

  • CVE ID: CVE-2026-34986
  • GHSA: GHSA-78h2-9frx-2jm8
  • Package: github.com/go-jose/go-jose/v4
  • Severity: HIGH
  • Impact: Denial of Service via crafted JSON Web Encryption (JWE) object — panics in JWE decryption
  • Vulnerable versions: < 4.1.4
  • Fixed version: v4.1.4
  • Jira Issue: SRVKP-11504

Changes

  • go.mod: Updated github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4
  • go.sum: Updated checksums
  • vendor/: Synced via go mod vendor

Verification

  • go mod tidy — passed
  • go mod verify — all modules verified
  • go mod vendor — synced cleanly

Breaking Changes

None. Patch-level upgrade within v4.1.x.

Risk Assessment

Factor Assessment
Change scope Minimal — single indirect dependency patch bump
Breaking changes None
Risk level Low

Generated by CVE Fixer Workflow

Security fix: update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to address CVE-2026-34986

Made with Cursor

@divyansh42 @claude @cursoragent
fix(cve): CVE-2026-34986 - go-jose/go-jose/v4
ff83c98 
- Update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4
- Addresses denial of service vulnerability via crafted JWE object
- go mod tidy && go mod verify passed
- go mod vendor synced

Resolves: SRVKP-11504

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label May 13, 2026
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 13, 2026
@divyansh42
Copy link
Copy Markdown
Member Author

divyansh42 commented May 13, 2026

/retest

@pratap0007
Copy link
Copy Markdown
Contributor

pratap0007 commented May 15, 2026

/approve

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 15, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pratap0007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

@pratap0007 pratap0007 Awaiting requested review from pratap0007

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@divyansh42 @pratap0007 @tekton-robot