Go-JOSE Security Patch: CVE-2026-34986 Fixes Panic Vulnerability in JWE Decryption

A critical security update has been released for the widely-used Go-JOSE library, addressing a vulnerability that can cause a panic and crash during the decryption of certain JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, is triggered when a JWE object uses a key wrapping algorithm (those ending in `KW`, except for `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and contains an empty `encrypted_key` field. This condition leads to a panic in the `cipher.KeyUnwrap()` function within `key_wrap.go` when it attempts to allocate memory based on the invalid, zero-length data.

The vulnerability is present in both the v3 and v4 branches of the `github.com/go-jose/go-jose` library. The patches, which update the library from v3.0.4 to v3.0.5 and from v4.1.3 to v4.1.4, are classified as indirect dependencies in the source repository, indicating they are likely a transitive dependency for a larger project's security posture. The flaw is specifically reachable from the `ParseEncrypted` function, a core method for handling encrypted JWTs and other JWE payloads, making it a significant concern for any service relying on this library for secure data transmission or storage.

This update is a mandatory security chore for any development team using affected versions. The panic represents a denial-of-service vector that could be exploited by a malicious actor sending a specially crafted JWE object, potentially disrupting authentication flows, API communications, or any system processing encrypted tokens. While the immediate impact is a service crash rather than data exfiltration, the stability risk to production systems is high. Teams must prioritize applying these patches to prevent unexpected outages and harden their security dependencies against this exploitable code path.