CVE-2026-22817
Unknown Unknown - Not Provided
JWT Algorithm Confusion Vulnerability in Hono JWT Middleware

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-05-07
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22817
EUVD
EUVD-2026-2018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono 4.11.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Hono's JWT verification middleware allowed the JWT header's 'alg' value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could lead to JWT algorithm confusion, potentially allowing forged tokens to be accepted. The fix requires the 'alg' option to be explicitly specified to prevent this confusion.


How can this vulnerability impact me? :

This vulnerability can allow attackers to forge JWT tokens that are accepted as valid by the application, potentially leading to unauthorized access or privilege escalation.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Hono to version 4.11.4 or later, as this version includes a fix that requires the alg option to be explicitly specified in the JWT middleware, preventing algorithm confusion and acceptance of forged tokens.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

To detect this vulnerability, you should check if your Hono JWT middleware configuration explicitly specifies the 'alg' parameter in the JWT verification options. Vulnerable versions prior to 4.11.4 do not require this parameter, allowing algorithm confusion attacks. You can audit your application code for usage of the jwt middleware and verify if 'alg' is set. For example, look for code like `app.use('/auth/*', jwt({ secret: 'your-secret' }))` which is vulnerable, versus the fixed usage `app.use('/auth/*', jwt({ secret: 'your-secret', alg: 'HS256' }))`. Additionally, monitoring JWT tokens in your network traffic for unexpected or mismatched 'alg' header values could indicate exploitation attempts. There are no specific commands provided in the resources, but code inspection and configuration review are recommended detection methods. [2, 1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart