Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Published: 2026-01-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: JWT Algorithm Confusion Allowing Forged Token Acceptance
Action: Patch
AI Analysis

Impact

The flaw in the Hono framework’s JWK/JWKS JWT verification middleware permits the algorithm declared in the JWT header to dictate the signature verification process when the chosen JSON Web Key does not explicitly define an algorithm. This misconfiguration enables an attacker to craft a token that specifies a weaker or undesired algorithm and have it accepted by the middleware, effectively allowing the creation of forged tokens that may be treated as legitimate credentials.

Affected Systems

The vulnerability affects applications built with the Hono JavaScript web framework prior to version 4.11.4. Any deployment that relies on the default JWT verification middleware without explicit configuration of an allowed algorithm list is susceptible. No specific operating system or runtime environment is required beyond those that host Hono with a compatible JavaScript runtime.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.2, indicating a high impact on confidentiality and authentication. The EPSS score is under 1%, suggesting that while a possible exploitation exists, real-world leverage is currently limited. The issue is not listed in the CISA KEV catalog. Attackers would need to send a crafted JWT containing a manipulated algorithm field to a vulnerable application’s protected route; if the middleware falls back to using header.alg without validation, the token would be accepted and grant access. No special dependencies or unprivileged access are required beyond reaching the authentication endpoint.

Generated by OpenCVE AI on April 18, 2026 at 06:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hono framework to version 4.11.4 or later to enforce an explicit allowlist of asymmetric algorithms in JWT verification.
  • Configure the middleware’s algorithm allowlist to include only strongly secure asymmetric algorithms (e.g., RS256, ES256) when deploying the application.
  • Audit existing JWT authentication endpoints to ensure they reject tokens lacking an "alg" claim defined in the associated JWK.

Generated by OpenCVE AI on April 18, 2026 at 06:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vhc-576x-3qv4 Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
History

Tue, 20 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Thu, 15 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Tue, 13 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Title JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback)
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T15:29:39.849Z

Reserved: 2026-01-09T22:50:10.289Z

Link: CVE-2026-22818

cve-icon Vulnrichment

Updated: 2026-01-15T15:29:36.877Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:11.740

Modified: 2026-01-20T16:47:51.700

Link: CVE-2026-22818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses