Go-Jose v4.1.4 Security Update Patches Critical Panic Vulnerability in JWE Decryption (CVE-2026-34986)

A critical security vulnerability in the widely-used Go-Jose library triggers a panic during the decryption of certain JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, is present in versions prior to v4.1.4 and is triggered when a JWE object's `alg` (algorithm) field specifies a key wrapping algorithm—specifically, any algorithm ending in `KW`. This condition causes the library to panic, leading to a denial-of-service scenario for any application or service that processes such a malformed or maliciously crafted JWE token.

The vulnerability resides in the `github.com/go-jose/go-jose/v4` package, a core library for implementing JOSE standards (JSON Object Signing and Encryption) in Go. The issue was addressed in the newly released version v4.1.4. The update is classified as a security patch, and the accompanying GitHub security advisory (GHSA-78h2-9frx-2jm8) provides the definitive technical details. The patch is now being propagated through dependency management tools, as evidenced by automated pull requests from systems like RenovateBot, which flag the update with high confidence.

This vulnerability poses a direct stability risk to any system that accepts JWE tokens for decryption, including authentication services, API gateways, and data exchange platforms. While the immediate impact is a service crash (panic), it creates a readily exploitable vector for disrupting critical operations. The widespread adoption of the Go-Jose library across the cloud-native and microservices ecosystem means the potential attack surface is significant. Organizations must prioritize updating their dependencies to v4.1.4 to mitigate this denial-of-service risk.