CVE-2026-22817

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.11.4

Description Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists in the JWT verification middleware when using JWK/JWKS, where the alg value in the JWT header could influence signature verification even if the selected JWK did not explicitly define an algorithm. This could lead to JWT algorithm confusion, potentially allowing forged tokens to be accepted. The fix involves requiring the alg option to be explicitly specified in the JWT middleware, preventing the use of untrusted JWT header values to determine the verification algorithm.

Recommendations Update to Hono version 4.11.4 or later.