CVE-2026-47673: Hono: JWT middleware accepts any Authorization scheme, not only Bearer

June 4, 2026

The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request.

References

github.com/advisories/GHSA-f577-qrjj-4474
github.com/honojs/hono/commit/5463db2735476959b8af67756f4e513f4fe19115
github.com/honojs/hono/releases/tag/v4.12.21
github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474
nvd.nist.gov/vuln/detail/CVE-2026-47673

Code Behaviors & Features

Detect and mitigate CVE-2026-47673 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →