What is CVE-2026-34986?

CVE-2026-34986 is a high-severity vulnerability in Go-jose, classified under CWE-248. CVSS score: 7.5/10. Published 2026-04-06.

How severe is CVE-2026-34986?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Go-jose

CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3…

EPSS: 0.000 (10.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Go-jose — versions >= 4.0.0, < 4.1.4, < 3.0.5
Go-jose_project Go-jose

Weakness classification (CWE)

CWE-248

References

https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8 (x_refsource_CONFIRM, Mitigation, Vendor Advisory)
https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants (Technical Description, Product, x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34986?: CVE-2026-34986 is a high-severity vulnerability in Go-jose, classified under CWE-248. CVSS score: 7.5/10. Published 2026-04-06.
How severe is CVE-2026-34986?: High severity. CVSS v3 base score is 7.5 out of 10.