Component backup-and-restore-sdk version(s) 1.19.49, 1.19.51 and 1.19.53 coming up on scan reports are affected by CVE-2026-34986 / GHSA-78h2-9frx-2jm8.

This vulnerability is related to Go JOSE Panics in JWE decryption.

CVE-2026-34986 / GHSA-78h2-9frx-2jm8 was detected in go-jose v4 on versions prior to 4.1.4 within backup-and-restore-sdk.

This Go dependency is included but the vulnerable code path is not reachable in the component's runtime execution context. Therefore, the component is considered not affected.

Fix available on go-jose 4.1.4 and later.