CVE-2026-44459 - Vulnerability Details

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.

Published: 2026-05-13

Score: 3.8 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw arises from the JWT utility in the Hono framework failing to validate the NumericDate claims – exp, nbf, and iat – during verification. When a token containing a non‑spec‑compliant timestamp reaches verify(), the checks silently succeed, which allows the token to be accepted even though its time claims are invalid. The description makes clear that an attacker who does not control either the token issuance or the signing key cannot use this flaw to forge a valid token, so the vulnerability is not directly exploitable from outside the application.

Affected Systems

All installations of the honojs Hono web framework with a version older than 4.12.18, regardless of the JavaScript runtime used, inherit this issue. The vulnerability was fixed in the 4.12.18 release, after which proper validation of NumericDate claims was restored.

Risk and Exploitability

With a CVSS score of 3.8, the vulnerability is classified as low severity and is not listed in the CISA KEV catalog. The Exploit Prediction Scoring System does not have a score for this issue. Exploitation requires reuse of a token that contains a malformed timestamp or an attacker who controls the signing key used in verification, scenarios that are unlikely to arise outside of a compromised or misconfigured internal service. Consequently, the practical risk to organizations is limited to situations where the application generates insecure tokens or the signing key is compromised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

honojs

hono

affected

Version	Status	Constraints
`< 4.12.18`	affected	—

Configuration 1 [-]

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Hono

90%

Version	Status	Scheme	Platform
`[0,4.12.18)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Hono to version 4.12.18 or later in all environments.
Ensure that JWT signing keys are stored securely and rotate them promptly if a key compromise is suspected.
Validate timestamp claims during token generation or before the token is accepted by downstream services to guarantee compliance with the JWT specification.

Generated by OpenCVE AI on May 13, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hm8q-7f3q-5f36	Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36

History

Wed, 13 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hono Hono hono
CPEs		cpe:2.3:a:hono:hono::::::node.js::*
Vendors & Products		Hono Hono hono

Wed, 13 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.
Title		Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Weaknesses		CWE-1284
References		https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36
Metrics		cvssV3_1 `{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Hono Hono

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T15:02:23.872Z

Updated: 2026-05-13T18:36:31.135Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44459

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-13T16:16:57.970

Modified: 2026-05-13T18:21:48.107

Link: CVE-2026-44459

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses

CWE-1284
Improper Validation of Specified Quantity in Input

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object