Armis Logo< Back

CVE-2026-22817:

JWT algorithm confusion vulnerability in Hono's JWK/JWKS middleware prior to version 4.11.4.


Score
Info
A numerical rating that indicates how dangerous this vulnerability is.

6.5Medium
  • Published Date:Jan 13, 2026
  • CISA KEV Date:*No Data*
  • Industries Affected:20

Threat Predictions

  • EPSS Score:0.0
  • EPSS Percentile:4%

Exploitability

  • Score:3.9
  • Attack Vector:NETWORK
  • Attack Complexity:LOW
  • Privileges Required:NONE
  • User Interaction:NONE
  • Scope:UNCHANGED

Impact

  • Score:2.5
  • Confidentiality Impact:LOW
  • Integrity Impact:LOW
  • Availability Impact:NONE

Description Preview

JWT algorithm confusion vulnerability in Hono's JWK/JWKS middleware prior to version 4.11.4.

Overview

Hono, a versatile Web application framework, contained a security flaw in its JWK/JWKS JWT verification middleware before version 4.11.4. The vulnerability stemmed from the middleware's handling of the JWT header's alg value, which could influence the signature verification process when the selected JWK lacked an explicit algorithm specification. This oversight could potentially lead to JWT algorithm confusion attacks, allowing malicious actors to exploit the vulnerability and have forged tokens accepted by the system under specific circumstances. The issue has been assigned a CVSS v3.1 base score of 8.2, indicating a high severity level. The vulnerability primarily impacts the integrity of the system, with a high impact on this aspect, while also posing a low risk to confidentiality.

Remediation

  • To address this vulnerability, users of Hono should upgrade to version 4.11.4 or later. The fix implemented in this version requires the JWT middleware to have the alg option explicitly specified. This change prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. System administrators and developers using Hono in their applications should prioritize this update to mitigate the risk of potential attacks exploiting this vulnerability. Additionally, it is recommended to review and test the updated middleware implementation to ensure compatibility with existing systems and to verify that the fix effectively prevents algorithm confusion in all use cases.

References

Industries Affected

Below is a list of industries most commonly impacted or potentially at risk based on intelligence.

Low
Mining icon
Mining
Utilities icon
Utilities
Information icon
Information
Construction icon
Construction
Retail Trade icon
Retail Trade
Manufacturing icon
Manufacturing
Wholesale Trade icon
Wholesale Trade
Educational Services icon
Educational Services
Finance and Insurance icon
Finance and Insurance
Public Administration icon
Public Administration
Real Estate Rental and Leasing icon
Real Estate Rental and Leasing
Transportation and Warehousing icon
Transportation and Warehousing
Accommodation and Food Services icon
Accommodation and Food Services
Health Care and Social Assistance icon
Health Care and Social Assistance
Arts, Entertainment, and Recreation icon
Arts, Entertainment, and Recreation
Management of Companies and Enterprises icon
Management of Companies and Enterprises
Agriculture, Forestry, Fishing and Hunting icon
Agriculture, Forestry, Fishing and Hunting
Other Services (except Public Administration) icon
Other Services (except Public Administration)
Professional, Scientific, and Technical Services icon
Professional, Scientific, and Technical Services
Administrative and Support and Waste Management and Remediation Services icon
Administrative and Support and Waste Management and Remediation Services

Focus on What Matters

See everything.Identify true risk.Proactively mitigate threats.Book a Demo

Let's talk!