CVE-2026-22818: Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

January 13, 2026

A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.

References

github.com/advisories/GHSA-3vhc-576x-3qv4
github.com/honojs/hono
github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134
github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
nvd.nist.gov/vuln/detail/CVE-2026-22818

Code Behaviors & Features

Detect and mitigate CVE-2026-22818 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →