Security Patch: go-jose/v4 Library Fixes Critical Panic Vulnerability in JWE Decryption (CVE-2026-34986)

A critical security vulnerability in the widely-used `go-jose/go-jose/v4` library could cause applications to crash when processing malformed encrypted data. The flaw, tracked as CVE-2026-34986, triggers a panic during the decryption of a JSON Web Encryption (JWE) object under specific, exploitable conditions. This is not a theoretical weakness; it's a direct path to denial-of-service (DoS) for any service relying on this library for secure data handling.

The vulnerability is present in versions prior to v4.1.4. It occurs when a JWE object uses a key wrapping algorithm (denoted by an `alg` field ending in `KW`, such as `RSA-OAEP-256KW` or `ECDH-ES+A256KW`) but contains an empty `encrypted_key` field. The library's validation logic fails to handle this malformed state gracefully, leading to an immediate program crash. Notably, the GCM-based key wrap algorithms (`A128GCMKW`, `A192GCMKW`, `A256GCMKW`) are not affected.

This patch is a mandatory security update. The `go-jose` library is a foundational component for implementing JWT, JWS, and JWE standards in Go, used across countless authentication systems, API gateways, and microservices. The panic vulnerability presents a low-effort vector for disrupting service availability. While the advisory does not indicate a path to remote code execution, the certainty of a crash makes it a high-priority fix. Development and security teams must update their dependencies to `github.com/go-jose/go-jose/v4 v4.1.4` immediately to mitigate this stability risk.