CVE-2026-22818 affects Hono Web application framework versions prior to 4.11.4. The vulnerability exists in the JWK/JWKS JWT verification middleware, which allowed JWT header algorithm specifications to influence signature verification when the selected JWK didn't explicitly define an algorithm. This flaw could enable JWT algorithm confusion attacks and allow forged tokens to be accepted in certain configurations. The issue has been fixed in version 4.11.4 by requiring an explicit allowlist of asymmetric algorithms and preventing the middleware from deriving verification algorithms from untrusted JWT header values.