CVE-2026-34986
HIGH7.5EPSS 0.03%Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose
Published: 4/3/2026Modified: 6/1/2026
Description
The go-jose package is subject to a panic when decrypting certain JSON Web Encryption (JWE) tokens. This occurs when an attacker can provide a maliciously crafted JWE token that triggers an unhandled exception during the decryption process, leading to a denial-of-service.
Affected packages (9)
- Debian/golang-github-go-jose-go-josefrom 0
- Debian/golang-github-go-jose-go-jose.v3from 0
- Debian/golang-gopkg-square-go-jose.v1from 0
- Debian/golang-gopkg-square-go-jose.v2from 0
- Go/github.com/go-jose/go-josefrom 0, <= 2.6.3
- Go/github.com/go-jose/go-jose/v3from 0, < 3.0.5
- Go/github.com/go-jose/go-jose/v3from 0, < 3.0.5
- Go/github.com/go-jose/go-jose/v4from 0, < 4.1.4
- Go/github.com/go-jose/go-jose/v4from 0, < 4.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34986
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-34986
- PATCHhttps://github.com/go-jose/go-jose
- WEBhttps://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
- WEBhttps://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants