CVE-2026-22818

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.11.4

Description Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists in the JWK/JWKS JWT verification middleware where the algorithm specified in the JWT header could influence signature verification when the selected JWK did not explicitly define an algorithm. This could lead to JWT algorithm confusion, potentially allowing forged tokens to be accepted. The middleware has been updated to require an explicit allowlist of asymmetric algorithms for token verification, preventing the derivation of the verification algorithm from untrusted JWT header values.

Recommendations Update to Hono version 4.11.4 or later.