## Go-JOSE v4.1.4 Patches Critical Panic Vulnerability in JWE Decryption (CVE-2026-34986)
A critical security flaw in the widely-used Go-JOSE library forces a mandatory patch to version 4.1.4. The vulnerability, tracked as CVE-2026-34986, causes the library to panic and crash when attempting to decrypt a specially crafted JSON Web Encryption (JWE) object. This is not a theoretical weakness; it is a denial-of-service vector that can be triggered by any system processing JWE tokens, potentially disrupting authentication flows, API security, and data exchange in Go applications.

The flaw resides in the key unwrapping logic. When a JWE object uses a key wrapping algorithm (denoted by an `alg` field ending in `KW`, excluding the GCMKW variants) and contains an empty `encrypted_key` field, the `cipher.KeyUnwrap()` function attempts to allocate a slice with invalid parameters, leading to an immediate runtime panic. This condition is exploitable by an attacker who can submit malformed JWE tokens to a vulnerable endpoint. The issue is specific to the indirect dependency path `github.com/go-jose/go-jose/v4` and is fixed in the patch update from v4.1.3 to v4.1.4.

This vulnerability places immediate pressure on development and security teams across the Go ecosystem. Any service relying on go-jose/v4 for JWE operations—common in OAuth 2.0, OpenID Connect, and secure message passing—is at risk of unplanned crashes. The advisory (GHSA-78h2-9frx-2jm8) mandates an urgent review and update of dependency graphs. The warning that 'some dependencies could not be looked up' in the associated PR further underscores the operational urgency, as obscured dependency chains could leave critical services exposed. Failure to patch introduces a straightforward availability risk to core security infrastructure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, golang, vulnerability, authentication, library
- **Credibility**: unverified
- **Published**: 2026-04-10 23:22:33
- **ID**: 59596
- **URL**: https://whisperx.ai/en/intel/59596