CVE-2026-22818

Hono-r Among Thieves: Weaponizing JWT Algorithm Confusion in Hono Framework

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 14, 2026·5 min read·5 visits

Executive Summary (TL;DR)

Hono versions prior to 4.11.4 trust the JWT header's algorithm claim when the server's JWK Set lacks an explicit algorithm definition. An attacker can sign a malicious token using the server's public key as a symmetric HMAC secret (HS256), tricking the server into verifying the signature successfully and granting full access.

A critical authentication bypass in the Hono Web Framework allows attackers to exploit JWT algorithm confusion. By forcing the server to treat a public RSA key as a shared HMAC secret, attackers can forge valid tokens and gain administrative access.

Official Patches

HonoCommit fixing the fallback logic
HonoRelease v4.11.4

Fix Analysis (1)

Technical Appendix

CVSS Score
8.2/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Systems

Hono Web Framework (Node.js)Hono Web Framework (Deno)Hono Web Framework (Cloudflare Workers)Hono Web Framework (Bun)

Affected Versions Detail

Product
Affected Versions
Fixed Version
hono
HonoJS
< 4.11.44.11.4
AttributeDetail
CWE IDCWE-347
Attack VectorNetwork (Remote)
CVSS8.2 (High)
ImpactAuthentication Bypass / Privilege Escalation
Exploit StatusPOC Available
Affected Componenthono/jwk Middleware

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle
Credential Access
T1212Exploitation for Credential Access
Credential Access
CWE-347
Improper Verification of Cryptographic Signature

The product does not verify or incorrectly verifies the cryptographic signature of data, allowing an attacker to modify data without detection.

Known Exploits & Detection

GitHubAlgorithm confusion methodology described in advisory

Vulnerability Timeline

Vulnerability Disclosed
2026-01-13
Patch v4.11.4 Released
2026-01-13
GHSA Advisory Published
2026-01-13