Security Patch: go-jose/v4 Library Vulnerability (CVE-2026-34986) Exposes Panic Risk in JWE Decryption

A critical security flaw in the widely-used `github.com/go-jose/go-jose/v4` library has been patched, addressing a vulnerability that could cause applications to crash when processing malformed encrypted data. The issue, tracked as CVE-2026-34986, triggers a panic during the decryption of specific JSON Web Encryption (JWE) objects, potentially leading to denial-of-service conditions in dependent services.

The vulnerability is activated when a JWE object uses a key wrapping algorithm (identified by an `alg` field ending in `KW`, except for `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and contains an empty `encrypted_key` field. In this scenario, the `cipher.KeyUnwrap()` function in `key_wrap.go` attempts to allocate memory based on the empty key's length, resulting in a zero or negative slice length and causing a runtime panic. This code path is directly reachable through standard library functions `ParseEncrypted()`, `ParseEncryptedJSON()`, or `ParseEncryptedCompact()` followed by a call to `Decrypt()` on the resulting object.

The patch, upgrading the module from v4.1.3 to v4.1.4, is now being rolled out via dependency management pull requests. This update is a mandatory security chore for any project that handles JWE decryption, as the flaw represents a reliable crash vector that could be exploited by feeding malformed tokens to an application's authentication or data processing endpoints. Teams must prioritize this update to eliminate a predictable failure point in their security stack.