CVE-2026-22818
JWT Algorithm Confusion Vulnerability in Hono JWK Middleware
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | to 4.11.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could impact compliance with standards and regulations such as GDPR and HIPAA by potentially allowing forged JWT tokens to bypass authentication or authorization controls. This could lead to unauthorized access to sensitive personal or health data, violating data protection and privacy requirements mandated by these regulations. By enabling algorithm confusion attacks, the flaw undermines the integrity of authentication mechanisms, increasing the risk of data breaches and non-compliance with security controls required by such standards. The fix enforces strict algorithm allowlisting to prevent such attacks, thereby helping maintain compliance. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing your Hono framework usage to check if the JWK/JWKS JWT verification middleware is used without specifying an explicit allowlist of asymmetric algorithms (the 'alg' option). Specifically, look for middleware usage where the 'alg' option is omitted or symmetric algorithms are accepted. There are no direct network detection commands provided, but you can audit your application code for vulnerable middleware usage patterns. For example, search your codebase for jwk middleware usage without the 'alg' parameter or with symmetric algorithms allowed. Example command to find vulnerable usage in code: `grep -r "jwk({" ./ | grep -v "alg:"` to find instances missing the 'alg' option. Additionally, ensure your Hono version is 4.11.4 or later, as earlier versions are vulnerable. No specific runtime detection commands or network signatures are provided in the resources. [1, 2]
Can you explain this vulnerability to me?
This vulnerability is a flaw in Hono's JWK/JWKS JWT verification middleware prior to version 4.11.4. It allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could lead to JWT algorithm confusion, potentially allowing forged tokens to be accepted. The issue was fixed by requiring an explicit allowlist of asymmetric algorithms and no longer trusting the JWT header's algorithm value for verification.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to forge JWT tokens that could be accepted as valid by the application. This could lead to unauthorized access or privilege escalation within applications using the affected Hono middleware, potentially compromising the integrity and security of your system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Hono to version 4.11.4 or later, as this version includes a fix that requires an explicit allowlist of asymmetric algorithms for JWT verification and no longer derives the verification algorithm from untrusted JWT header values.