Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Published: 2026-01-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: JWT Algorithm Confusion and Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in Hono’s JWT verification middleware, which previously allowed the ‘alg’ value in a token’s header to dictate the algorithm used when the selected JSON Web Key did not declare an explicitly supported algorithm. This behavior enables attackers to forge a JSON Web Token that will be accepted as valid, effectively allowing them to bypass authentication controls that rely on correctly signed tokens. The flaw maps to CWE‑347, representing an algorithmic confusion that lets untrusted header values influence signature validation.

Affected Systems

The issue affects installations of the Hono framework, specifically versions earlier than 4.11.4. Developers using Hono for serverless or Node.js applications that employ the provided JWT middleware without explicitly specifying the algorithm in the options are vulnerable. The CVE identifiers point to all variants of Hono, including the generic Node.js distribution referenced by the CPE.

Risk and Exploitability

The item has a CVSS score of 8.2, indicating high impact. Attack complexity is likely low for an application that serves untrusted users, but the EPSS score is below 1 %, suggesting a rare exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit it by crafting a token with a mismatched or absent algorithm field when the server’s verification logic accepts it unconditionally, thereby forging a token that grants unauthorized access. Prompt remediation is advised.

Generated by OpenCVE AI on April 18, 2026 at 06:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hono to version 4.11.4 or later, which removes the algorithm confusion flaw.
  • When configuring the JWT middleware, explicitly set the ‘alg’ option to the desired verification algorithm to prevent header‑controlled changes.
  • If an upgrade cannot occur immediately, disable the JWT middleware for critical routes or implement an additional server‑side check that rejects tokens whose header algorithm does not match the expected value.

Generated by OpenCVE AI on April 18, 2026 at 06:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f67f-6cw9-8mq4 Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
History

Tue, 20 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Tue, 13 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Title JWT Algorithm Confusion via Unsafe Default (HS256) in Hono JWT Middleware Allows Token Forgery and Auth Bypass
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T19:12:35.457Z

Reserved: 2026-01-09T22:50:10.289Z

Link: CVE-2026-22817

cve-icon Vulnrichment

Updated: 2026-01-14T19:12:32.381Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:11.570

Modified: 2026-01-20T16:48:05.767

Link: CVE-2026-22817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses