Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
Published: 2026-05-28
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The jwt and jwk middlewares in the Hono framework do not validate that the Authorization header carries a Bearer scheme. As a result, a request containing a valid JWT token under any other scheme name (e.g., Basic or Token) is treated the same as a proper Bearer request. This flaw allows an attacker to authenticate without adhering to the intended scheme, giving them unauthorized access to protected resources. The weakness is a classic authentication bypass (CWE‑285).

Affected Systems

The vulnerability affects the Hono framework from the honojs vendor. All releases prior to version 4.12.21 are impacted; versions 4.12.21 and later contain the fix.

Risk and Exploitability

With a CVSS score of 4.8 the flaw is considered moderate in severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is straightforward: an attacker sends an HTTP request with an Authorization header that uses a non‑Bearer scheme but carries a valid JWT token. If the application relies on Hono’s jwt/jwk middleware, the request will be accepted, granting the attacker access. The lack of scheme enforcement represents a non‑fatal yet exploitable weakness that can be leveraged by attackers able to craft malicious HTTP requests.

Generated by OpenCVE AI on May 28, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hono framework to version 4.12.21 or later, which includes enforcement of the Bearer scheme in the jwt/jwk middleware.
  • If an upgrade is delayed, implement an application‑level check that rejects Authorization headers whose scheme is not Bearer, or use the web server to filter such headers before they reach Hono.
  • Review and harden any custom middleware or configuration that disables scheme validation to ensure that only Bearer tokens are accepted.

Generated by OpenCVE AI on May 28, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*
Vendors & Products Hono
Hono hono

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
Title Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:29:44.160Z

Reserved: 2026-05-19T21:10:38.798Z

Link: CVE-2026-47673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T17:16:32.233

Modified: 2026-05-29T17:05:59.723

Link: CVE-2026-47673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:15:06Z

Weaknesses