CVE-2026-34986

High

Published: 06 April 2026

Published

06 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 6.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34986 is a high-severity Uncaught Exception (CWE-248) vulnerability in Go-Jose Project Go-Jose. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the flaw in vulnerable Go JOSE library versions by upgrading to 4.1.4 or 3.0.5 directly eliminates the panic during JWE decryption with empty encrypted_key.

SI-11 Error Handling good match

prevent

Secure error handling prevents application panics and crashes when processing malformed JWE objects with key wrapping algorithms and empty encrypted_key fields.

SI-10 Information Input Validation good match

prevent

Validates incoming JWE inputs to reject those with empty encrypted_key for vulnerable key wrapping algorithms, blocking the path to cipher.KeyUnwrap() panic.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote unauthenticated attackers to crash applications via crafted JWE inputs, directly facilitating exploitation of public-facing applications (T1190) for endpoint denial of service through application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting…

a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Deeper analysisAI

CVE-2026-34986 is a denial-of-service vulnerability in the Go JOSE library, which implements JavaScript Object Signing and Encryption (JOSE) standards including JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) in Go. In versions prior to 4.1.4 and 3.0.5, decrypting a JWE object triggers a panic if the 'alg' field specifies a key wrapping algorithm (those ending in 'KW', excluding A128GCMKW, A192GCMKW, and A256GCMKW) and the 'encrypted_key' field is empty. The panic occurs in key_wrap.go during cipher.KeyUnwrap() when attempting to allocate a slice with zero or negative length based on the empty encrypted_key. This issue is reachable via ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact() followed by Decrypt() on the parsed object, provided the accepted key algorithms include the vulnerable ones.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity by crafting and sending a malicious JWE object that meets the conditions, causing the application to panic and crash. The attack requires the target application to parse and decrypt JWE inputs while accepting the specified key wrapping algorithms; if no such algorithms are accepted, parsing fails safely. Exploitation directly via cipher.KeyUnwrap() with ciphertext under 16 bytes is possible but less common. Successful exploitation results in denial of service due to the panic, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-248.

The Go JOSE GitHub security advisory (GHSA-78h2-9frx-2jm8) confirms the issue and states it is fixed in versions 4.1.4 and 3.0.5. Security practitioners should upgrade to these patched versions and review applications using Go JOSE for JWE decryption to ensure accepted key algorithms are appropriately restricted, mitigating exposure to crafted inputs.