Skip to content

Security: CVE-2026-42504 (GO-2026-5038) — mime DoS in Go 1.26.3 #3577

Description

@1n

Summary

jfrog-cli is built with Go 1.26.3, which is vulnerable to a denial-of-service in mime.WordDecoder.DecodeHeader (CVE-2026-42504 / GO-2026-5038).

Vulnerability Details

Field Value
CVE CVE-2026-42504
OSV GO-2026-5038
Severity High
Affected github.com/golang/go from go1.26.0 before go1.26.4
Fix go1.26.4 (released 2026-06-02)

Evidence — JFrog Xray scan

We noticed this while running Xray scans on CI agent images that bundle the jfrog-cli binary. A build scan of an image running jf version 2.111.0 (Go 1.26.3) surfaces:

CVE            | Severity | Component            | Version | Fixed in
CVE-2026-42504 | High     | github.com/golang/go | 1.26.3  | 1.26.4
CVE-2026-42507 | Medium   | github.com/golang/go | 1.26.3  | 1.26.4
CVE-2026-27145 | Medium   | github.com/golang/go | 1.26.3  | —

Go 1.26.4 resolves the first two. We noticed this while running JFrog Xray scans on CI agent images that bundle the jfrog-cli binary — it would be great to get this patched upstream so the fix flows through automatically.

Fix

One-line change in go.mod — a PR is attached:

-go 1.26.3
+go 1.26.4

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions