{"id":"GO-2026-4945","summary":"Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose","details":"The go-jose package is subject to a panic when decrypting certain JSON Web Encryption (JWE) tokens. This occurs when an attacker can provide a maliciously crafted JWE token that triggers an unhandled exception during the decryption process, leading to a denial-of-service.","aliases":["CVE-2026-34986","GHSA-78h2-9frx-2jm8"],"modified":"2026-05-26T23:26:30.177671Z","published":"2026-05-26T22:49:18Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4945","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"},{"type":"WEB","url":"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"}],"affected":[{"package":{"name":"github.com/go-jose/go-jose/v3","ecosystem":"Go","purl":"pkg:golang/github.com/go-jose/go-jose/v3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.0.5"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/go-jose/go-jose/v3"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4945.json"}},{"package":{"name":"github.com/go-jose/go-jose/v4","ecosystem":"Go","purl":"pkg:golang/github.com/go-jose/go-jose/v4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.1.4"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/go-jose/go-jose/v4"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4945.json"}}],"schema_version":"1.7.5","credits":[{"name":"Datadog's Security team"}]}