CVE-2026-47673
Analyzed Analyzed - Analysis Complete
JWT Authorization Bypass in Hono Framework

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value β€” regardless of the scheme name in the first position β€” proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-47673
EUVD
EUVD-2026-32927
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Hono web application framework versions prior to 4.12.21, specifically in the jwt and jwk middlewares. These middlewares do not properly verify that the Authorization header uses the Bearer scheme as required by RFC 6750. Instead, they accept any two-part Authorization header value regardless of the scheme name, such as Basic or Token.

This means that a request containing a valid JWT token under a non-Bearer scheme is authenticated the same way as a correctly formed Bearer token request, allowing an attacker to bypass scheme-aware security controls.

Compliance Impact

This vulnerability allows an attacker with a valid JWT to bypass scheme-aware security controls by presenting the token under a non-Bearer scheme, potentially leading to unauthorized access or token reuse across different authentication mechanisms.

Such unauthorized access could impact the confidentiality and integrity of protected data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, applications affected by this vulnerability may face increased risk of non-compliance with these regulations due to potential unauthorized data access.

Impact Analysis

This vulnerability can allow an attacker who possesses a valid JWT token to bypass security controls that rely on the Authorization header scheme, such as Web Application Firewalls (WAFs) or API gateways.

By presenting the token under a non-Bearer scheme, the attacker may gain unauthorized access or reuse tokens across different authentication mechanisms, potentially compromising the security of the application.

However, the overall impact is considered moderate with a CVSS score of 4.8, due to the high complexity of the attack and limited impact on confidentiality and integrity.

Detection Guidance

This vulnerability can be detected by monitoring Authorization headers in HTTP requests to identify any tokens presented under non-Bearer schemes such as Basic or Token.

You can use network traffic inspection tools or log analysis to find Authorization headers with two-part values where the scheme is not 'Bearer'.

For example, using command-line tools like tcpdump or tshark to capture HTTP traffic and grep or awk to filter Authorization headers can help detect suspicious requests.

  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Authorization:'
  • tshark -Y 'http.authorization' -T fields -e http.authorization
  • grep -i 'Authorization:' /var/log/nginx/access.log | grep -v '^Bearer '
Mitigation Strategies

The immediate mitigation step is to upgrade the Hono framework to version 4.12.21 or later, where the JWT and JWK middlewares properly validate the Authorization header scheme.

Until the upgrade is applied, you can implement additional validation in your application or API gateway to strictly enforce the Bearer scheme in Authorization headers.

You may also consider adding rules in your Web Application Firewall (WAF) or API gateway to reject requests with Authorization headers that do not start with 'Bearer '.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart