Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middl…
Published:
12 januari 2026 om 23:00:00
Alert date:
13 januari 2026 om 21:04:42
Source:
nvd.nist.gov
Web Technologies, Supply Chain & Dependencies
CVE-2026-22818 affects Hono Web application framework versions prior to 4.11.4. The vulnerability exists in the JWK/JWKS JWT verification middleware, which allowed JWT header algorithm specifications to influence signature verification when the selected JWK didn't explicitly define an algorithm. This flaw could enable JWT algorithm confusion attacks and allow forged tokens to be accepted in certain configurations. The issue has been fixed in version 4.11.4 by requiring an explicit allowlist of asymmetric algorithms and preventing the middleware from deriving verification algorithms from untrusted JWT header values.
Technical details
Mitigation steps:
Affected products:
Hono Web Framework
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-22818
https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134
https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.