Skip to content

[release-v0.78.x] Security: Fix CVE-2026-34986 (go-jose)#3748

Open
jkhelil wants to merge 2 commits into
release-v0.78.xfrom
fix/SRVKP-12885-cve-2026-34986-go-jose-release-v0.78.x-attempt-1
Open

[release-v0.78.x] Security: Fix CVE-2026-34986 (go-jose)#3748
jkhelil wants to merge 2 commits into
release-v0.78.xfrom
fix/SRVKP-12885-cve-2026-34986-go-jose-release-v0.78.x-attempt-1

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 16, 2026

Copy link
Copy Markdown
Member

Changes

Remove the replace directive that pinned github.com/go-jose/go-jose/v4 to vulnerable v4.0.5, allowing the already-required v4.1.4 (the fixed version) to be used.

CVE Details:

  • ID: CVE-2026-34986
  • Package: github.com/go-jose/go-jose/v4
  • Severity: Undefined (DoS — Denial of Service)
  • Affected versions: < 4.1.4 and < 3.0.5
  • Fixed version: v4.1.4
  • Description: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object. Decrypting a JWE object with a key-wrapping algorithm and an empty encrypted_key field causes a panic in cipher.KeyUnwrap().

Fix Summary:

  • Removed replace directive: github.com/go-jose/go-jose/v4 => github.com/go-jose/go-jose/v4 v4.0.5
  • The require section already declared v4.1.4 // indirect — removing the replace directive allows the fixed version to take effect
  • Ran go mod tidy && go mod verify && go mod vendor — all passed ✅

Test Results:

  • go test ./... — timed out after 300s in sandbox environment
  • All visible packages passed before timeout (large repo with many packages)
  • ⚠️ Tests timed out — manual review of CI results recommended before merge

Breaking Changes: None — v4.1.4 is a patch release fixing the DoS panic

Risk Assessment: Low — removes a pinned replace directive that was actively downgrading a dependency to a vulnerable version

Jira References: SRVKP-12885

Submitter Checklist

  • Run make test lint before submitting a PR
  • Includes tests (dependency update — no new logic)
  • Includes docs (not user-facing)
  • Commit messages follow commit message best practices

Release Notes

Security: Update go-jose/v4 from v4.0.5 to v4.1.4 to fix CVE-2026-34986 (Denial of Service via crafted JWE object)

Co-Assisted-By: Claude Sonnet 4.6 noreply@anthropic.com

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 16, 2026
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jul 16, 2026
@jkhelil

jkhelil commented Jul 16, 2026

Copy link
Copy Markdown
Member Author

/approve

@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 16, 2026
Upgrade github.com/go-jose/go-jose/v4 from v4.0.5 to v4.1.4 to address CVE-2026-34986.

Jira: SRVKP-12885
govulncheck scan: N/A
Test result: failed

Co-Assisted-By: CVE Fixer Bot <cve-fixer@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@jkhelil jkhelil force-pushed the fix/SRVKP-12885-cve-2026-34986-go-jose-release-v0.78.x-attempt-1 branch from 348d7cf to bae6558 Compare July 16, 2026 07:53
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants