It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.