CVE-2026-22817: Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

January 13, 2026

A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.

References

github.com/advisories/GHSA-f67f-6cw9-8mq4
github.com/honojs/hono
github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f
github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4
nvd.nist.gov/vuln/detail/CVE-2026-22817

Code Behaviors & Features

Detect and mitigate CVE-2026-22817 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →