CVE-2026-22817
Published: 13 January 2026
Summary
CVE-2026-22817 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Hono Hono. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires patching Hono to version 4.11.4 or later, directly eliminating the JWT algorithm confusion vulnerability.
Configuration settings mandate explicitly specifying the JWT verification algorithm, preventing reliance on untrusted alg values from the JWT header as per the fix.
Cryptographic protection enforces proper mechanisms for signature verification integrity, mitigating risks from improper JWT signature handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing JWT middleware directly enables remote forging/acceptance of tokens (T1606) via alg confusion; maps to exploitation of exposed web app (T1190).
NVD Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK…
more
did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Deeper analysisAI
CVE-2026-22817 is a vulnerability in Hono, a web application framework that supports any JavaScript runtime, affecting versions prior to 4.11.4. The flaw exists in Hono's JWK/JWKS JWT verification middleware, where the JWT header's "alg" value could influence signature verification if the selected JWK did not explicitly specify an algorithm. This enables JWT algorithm confusion, potentially allowing forged tokens to be accepted in certain configurations.
The vulnerability can be exploited by remote attackers with network access, requiring low attack complexity, no privileges, no user interaction, and unchanged scope. Exploitation could result in high integrity impact through acceptance of forged JWT tokens, low confidentiality impact, and no availability impact, as reflected in its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). It is classified under CWE-347 (Improper Verification of Cryptographic Signature).
Hono addressed the issue in version 4.11.4 by modifying the JWT middleware to require the "alg" option to be explicitly specified, preventing algorithm confusion and ensuring the verification algorithm is not derived from untrusted JWT header values. Additional details are available in the GitHub security advisory (https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4) and the fix commit (https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f).
Details
- CWE(s)