CVE-2026-22817
Unknown Unknown - Not Provided

JWT Algorithm Confusion Vulnerability in Hono JWT Middleware

Vulnerability report for CVE-2026-22817, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hono hono 4.11.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Hono's JWT verification middleware allowed the JWT header's 'alg' value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could lead to JWT algorithm confusion, potentially allowing forged tokens to be accepted. The fix requires the 'alg' option to be explicitly specified to prevent this confusion.

Impact Analysis

This vulnerability can allow attackers to forge JWT tokens that are accepted as valid by the application, potentially leading to unauthorized access or privilege escalation.

Mitigation Strategies

Upgrade Hono to version 4.11.4 or later, as this version includes a fix that requires the alg option to be explicitly specified in the JWT middleware, preventing algorithm confusion and acceptance of forged tokens.

Detection Guidance

To detect this vulnerability, you should check if your Hono JWT middleware configuration explicitly specifies the 'alg' parameter in the JWT verification options. Vulnerable versions prior to 4.11.4 do not require this parameter, allowing algorithm confusion attacks. You can audit your application code for usage of the jwt middleware and verify if 'alg' is set. For example, look for code like `app.use('/auth/*', jwt({ secret: 'your-secret' }))` which is vulnerable, versus the fixed usage `app.use('/auth/*', jwt({ secret: 'your-secret', alg: 'HS256' }))`. Additionally, monitoring JWT tokens in your network traffic for unexpected or mismatched 'alg' header values could indicate exploitation attempts. There are no specific commands provided in the resources, but code inspection and configuration review are recommended detection methods. [2, 1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart