Denial of Service Vulnerability in Go JOSE for JS Object Signing and Encryption by Affected Vendor
CVE-2026-34986

7.5HIGH

Key Information:

Vendor: Go-jose
Status: Go-jose
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34986?

The Go JOSE library, which implements JavaScript Object Signing and Encryption standards, contains a vulnerability that can lead to a denial of service condition. Specifically, prior to versions 4.1.4 and 3.0.5, decrypting a JSON Web Encryption object can cause a panic if the 'alg' field specifies a key wrapping algorithm and the 'encrypted_key' field is empty. This panic occurs during key unwrapping when attempting to allocate a slice with an invalid length, rendering the application unresponsive. The vulnerability can be triggered through specific parsing functions or, less commonly, by calling the key unwrapping function directly with unsuitable parameters. Affected users are urged to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

go-jose >= 4.0.0, < 4.1.4 < 4.0.0, 4.1.4

go-jose < 3.0.5 < 3.0.5

References

https://github.com/go-jose/go-jose/security/advisories/GH...

x_refsource_CONFIRM

https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-cons...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34986 Data

JSON

Go-jose

What is CVE-2026-34986?

Affected Version(s)

References

CVSS V3.1

Timeline