Skip to content

fix: bump Go toolchain to 1.26.4 (CVE-2026-42504 / GO-2026-5038)#3578

Open
1n wants to merge 1 commit into
jfrog:masterfrom
1n:fix/bump-go-toolchain-1.26.4
Open

fix: bump Go toolchain to 1.26.4 (CVE-2026-42504 / GO-2026-5038)#3578
1n wants to merge 1 commit into
jfrog:masterfrom
1n:fix/bump-go-toolchain-1.26.4

Conversation

@1n

@1n 1n commented Jun 30, 2026

Copy link
Copy Markdown

What

Bumps the Go toolchain version in go.mod from 1.26.3 to 1.26.4.

Why

Go 1.26.3 is vulnerable to CVE-2026-42504 (GO-2026-5038) — a denial-of-service in mime.WordDecoder.DecodeHeader. The fix was released in Go 1.26.4 on 2026-06-02.

Closes #3577

Change

-go 1.26.3
+go 1.26.4

Verification

$ go build -o /tmp/jfrog-test .
$ go version /tmp/jfrog-test
/tmp/jfrog-test: go1.26.4
$ go vet ./...
# (clean)

References

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@1n 1n force-pushed the fix/bump-go-toolchain-1.26.4 branch from 4133297 to fbef3bf Compare June 30, 2026 08:14
@1n

1n commented Jun 30, 2026

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

Go 1.26.x before 1.26.4 is vulnerable to DoS in mime.WordDecoder.DecodeHeader
(CVE-2026-42504 / GO-2026-5038). The fix was released in Go 1.26.4 on 2026-06-02.

https://pkg.go.dev/vuln/GO-2026-5038
@1n 1n force-pushed the fix/bump-go-toolchain-1.26.4 branch from fbef3bf to 02dab9b Compare June 30, 2026 08:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: CVE-2026-42504 (GO-2026-5038) — mime DoS in Go 1.26.3

1 participant