From da1a6da0028ee2ca735fee1f10786bafb1405cd0 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Fri, 5 Jun 2026 14:54:09 +0200
Subject: [PATCH] Bump go directive to 1.26.4 to fix stdlib CVEs

Fixes GO-2026-5039 (net/textproto error message injection) and
GO-2026-5037 (crypto/x509 VerifyHostname quadratic DoS), both fixed
in Go 1.26.4. The Dockerfile already builds with golang:1.26.4; this
aligns the go.mod directive used by the govulncheck scan.

Assisted by AI
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index fa2da2864..f8fa84244 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/nuts-foundation/nuts-node
 
 // This is the minimal version, the actual go version is determined by the images in the Dockerfile
 // This version is used in automated tests such as the 'Scheduled govulncheck' action
-go 1.26.3
+go 1.26.4
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1