VDB
CVE-2026-22817
CVE-2026-22817
PUBLISHED
CVSS 8.199999809265137 HIGH
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
EPSS 0.02% · 6.2th percentile
Risk Scores
CVSS v3.1
8.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score
0.02%
6.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| honojs | hono | < 4.11.4 |
| hono | hono | 0 |
| npm | hono | 0 |
Timeline
- Jan 13, 2026 CVE Published
- Jan 13, 2026 PoC Published
- Jan 13, 2026 PoC Published
- Jan 14, 2026 EPSS Score
- Jan 17, 2026 EPSS Score
- Jan 20, 2026 EPSS Score
- Jan 23, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 26, 2026 EPSS Score
- Jan 29, 2026 EPSS Score
- Feb 1, 2026 EPSS Score