CVE-2026-22817

Identity Theft on the Edge: Exploiting JWT Algorithm Confusion in Hono

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 14, 2026·6 min read·14 visits

Executive Summary (TL;DR)

Hono versions prior to 4.11.4 failed to enforce specific cryptographic algorithms in their JWT middleware. This classic 'Algorithm Confusion' flaw allows attackers to sign malicious tokens using the server's publicly available RSA public key, treating it as an HMAC secret. The result is a total authentication bypass. Update to 4.11.4 immediately and explicitly define your `alg` parameter.

A critical authentication bypass vulnerability in the Hono web framework allows attackers to forge JSON Web Tokens (JWTs) by confusing the verification algorithm. By swapping asymmetric algorithms (like RS256) for symmetric ones (HS256) in the token header, an attacker can trick the server into verifying the signature using its own public key as a shared secret.

Official Patches

HonoGitHub Commit Fix

Fix Analysis (1)

Technical Appendix

CVSS Score
8.2/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Systems

Hono Web Framework (Node.js)Hono on Cloudflare WorkersHono on DenoHono on Bun

Affected Versions Detail

Product
Affected Versions
Fixed Version
Hono
HonoJS
< 4.11.44.11.4
AttributeDetail
CWE IDCWE-347
Attack VectorNetwork
CVSS Score8.2 (High)
ConfidentialityLow (Access)
IntegrityHigh (Forgery)
Exploit StatusPoc Available

MITRE ATT&CK Mapping

T1552Unsecured Credentials
Credential Access
T1190Exploit Public-Facing Application
Initial Access
CWE-347
Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature

Known Exploits & Detection

TheoryStandard Algorithm Confusion Methodology

Vulnerability Timeline

CVE Published
2026-01-13
Patch v4.11.4 Released
2026-01-13
Public Disclosure (GHSA)
2026-01-13