fix(cve): cve-2026-34986 - go-jose dos [rhoai-3.3]

[vmrh21]

summary

updates github.com/go-jose/go-jose/v4 from v4.1.1 to v4.1.4 to fix denial of service vulnerability via crafted json web encryption (jwe) object.

cve details

• cve id: CVE-2026-34986
• package: github.com/go-jose/go-jose/v4
• severity: medium
• impact: denial of service — decrypting a jwe object panics if the alg field indicates a key wrapping algorithm and the encrypted_key field is empty
• vulnerable versions: < 4.1.4 (v4 series), < 3.0.5 (v3 series)
• fixed version: 4.1.4

changes

• update go-jose/go-jose/v4 from v4.1.1 to v4.1.4 in maas-api/go.mod
• run go mod tidy to update maas-api/go.sum
• no application code changes required

test results

status: ✅ all tests passed

tests discovered: yes
test command: go test ./...
result: passed
packages tested: api_keys, handlers, models, tier

breaking changes

none — v4.1.4 is a patch release with no breaking api changes.

verification checklist

• pre-pr automated tests executed and passed
• go-jose updated from v4.1.1 to v4.1.4
• go mod tidy completed successfully
• verify cve is resolved with security scan
• ci/cd pipeline passes

risk assessment

factor	assessment
change scope	minimal — indirect dependency version bump only
breaking changes	none — patch release
test coverage	✅ all existing tests pass
rollback	simple — revert go.mod and go.sum
overall risk	low

jira

resolves: RHOAIENG-56853

---

🤖 generated by cve fixer workflow