CVE-2026-22817 affects Hono Web application framework versions prior to 4.11.4. The vulnerability exists in the JWK/JWKS JWT verification middleware where the JWT header's algorithm value could influence signature verification when the selected JWK did not specify an algorithm. This flaw enables JWT algorithm confusion attacks, potentially allowing forged tokens to be accepted in certain configurations. The fix requires explicit specification of the algorithm option in JWT middleware to prevent algorithm confusion by ensuring verification algorithms are not derived from untrusted JWT header values.