Skip to content

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11490#2858

Merged
tekton-robot merged 1 commit into
release-v0.42.2from
fix/SRVKP-11490-cve-2026-34986-github.com-go-jose-go-jose-v4-release-v0.42.2-attempt-1
May 18, 2026
Merged

Security: Fix CVE-2026-34986 (go-jose/go-jose/v4) SRVKP-11490#2858
tekton-robot merged 1 commit into
release-v0.42.2from
fix/SRVKP-11490-cve-2026-34986-github.com-go-jose-go-jose-v4-release-v0.42.2-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 13, 2026

Summary

This PR fixes CVE-2026-34986 by upgrading github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4.

CVE Details

  • CVE ID: CVE-2026-34986
  • GHSA: GHSA-78h2-9frx-2jm8
  • Package: github.com/go-jose/go-jose/v4
  • Severity: HIGH
  • Impact: Denial of Service via crafted JSON Web Encryption (JWE) object — panics in JWE decryption
  • Vulnerable versions: < 4.1.4
  • Fixed version: v4.1.4
  • Jira Issue: SRVKP-11490

Changes

  • go.mod: Updated github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4
  • go.sum: Updated checksums
  • vendor/: Synced via go mod vendor

Test Results

Status: Passed (1 pre-existing failure unrelated to this change)

Test command: go test ./...
Result: All packages passed except pkg/formatted (pre-existing TestDecoration failure due to terminal ANSI escape code handling — not related to go-jose)

Breaking Changes

None. This is a patch-level upgrade within the same minor version (v4.1.x). No API changes.

Verification

  • go mod tidy — passed
  • go mod verify — all modules verified
  • go mod vendor — synced cleanly

Testing Checklist

  • Pre-PR automated tests executed
  • Verify CVE is resolved with security scan
  • Test affected functionality manually

Risk Assessment

Factor Assessment
Change scope Minimal — single indirect dependency patch bump
Breaking changes None
Test coverage Good — all tests pass (1 pre-existing unrelated failure)
Risk level Low

Generated by CVE Fixer Workflow

Security fix: update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to address CVE-2026-34986

Made with Cursor

@divyansh42 @claude @cursoragent
fix(cve): CVE-2026-34986 - go-jose/go-jose/v4
6858a77 
- Update github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4
- Addresses denial of service vulnerability via crafted JWE object
- go mod tidy && go mod verify passed
- go mod vendor synced

Resolves: SRVKP-11490

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label May 13, 2026
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 13, 2026
@pratap0007
Copy link
Copy Markdown
Contributor

pratap0007 commented May 15, 2026

/approve

vdemeester
vdemeester approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 18, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 18, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pratap0007, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 18, 2026
@tekton-robot tekton-robot merged commit 836544f into release-v0.42.2 May 18, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdemeester vdemeester vdemeester approved these changes

@chmouel chmouel Awaiting requested review from chmouel

@pratap0007 pratap0007 Awaiting requested review from pratap0007

Assignees

@vdemeester vdemeester

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@divyansh42 @pratap0007 @tekton-robot @vdemeester