Security Patch: go-jose/v4 Library Vulnerability (CVE-2026-34986) Exposes Panic Risk in JWE Decryption

A critical security vulnerability in the widely-used `github.com/go-jose/go-jose/v4` library can cause a panic and crash in applications processing certain encrypted data. The flaw, tracked as CVE-2026-34986, is triggered when decrypting a JSON Web Encryption (JWE) object that uses a specific type of key wrapping algorithm but contains an empty `encrypted_key` field. This scenario causes the underlying `cipher.KeyUnwrap()` function to attempt allocating a slice with a zero or negative length, leading directly to a program panic.

The vulnerability is reachable through standard library functions, including `ParseEncrypted()`, `ParseEncryptedJSON()`, and `ParseEncryptedCompact()`, when followed by a call to `Decrypt()` on the resulting object. The affected algorithms are those ending in `KW` (Key Wrap), with the notable exceptions of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`. This makes the flaw a significant denial-of-service risk for any service or application that accepts and processes JWE tokens from untrusted sources.

The patch, version v4.1.4, has been released to address this issue. Developers and security teams must prioritize updating their dependencies from v4.1.3 to the patched version. Failure to apply this update leaves systems vulnerable to crashes from malformed or maliciously crafted JWE objects, potentially disrupting authentication flows, API security, and data exchange mechanisms that rely on this foundational Go library for cryptographic operations.