CVE-2026-22818
JWT algorithm confusion vulnerability in hono (npm)
What is CVE-2026-22818 About?
A flaw in Hono's JWK/JWKS JWT verification middleware allowed the algorithm in the JWT header to influence signature verification if the JWK lacked an explicit algorithm, potentially enabling JWT algorithm confusion. This could lead to forged tokens being accepted, bypassing authentication or authorization. This vulnerability can be exploited remotely by crafting a malicious JWT.
Affected Software
Technical Details
Hono's JWK/JWKS JWT verification middleware, when processing JWTs, would first attempt to use the 'alg' field from the supplied JWK for signature verification. However, if the JWK did not explicitly define an 'alg' field (which is optional per standard), the middleware would fall back to using the 'alg' value specified in the unverified JWT header. This fallback mechanism creates an algorithm confusion vulnerability. An attacker can craft a JWT with a weak or 'none' algorithm specified in the header. If the corresponding JWK lacks its own 'alg' declaration, the middleware could be tricked into using the attacker-specified algorithm (e.g., 'none'), allowing a forged token to pass verification despite having an invalid or missing signature derived from a trusted key.
What is the Impact of CVE-2026-22818?
Successful exploitation may allow attackers to forge JWTs with attacker-controlled claims, potentially leading to authentication or authorization bypass and unauthorized access to resources.
What is the Exploitability of CVE-2026-22818?
Exploitation is typically remote. No prior authentication is required to attempt to send a crafted JWT, but the system must be configured to use the vulnerable JWK/JWKS middleware for JWT validation. No specific privilege is required for the attacker to construct a malicious JWT. The complexity is moderate, requiring an understanding of JWT structures, JWKS configurations, and algorithm confusion attacks. The primary prerequisites are that the target application uses Hono's JWK/JWKS middleware, and that the JWKs in use do not explicitly define the 'alg' field. The likelihood of exploitation increases if the application uses JWTs for critical authentication/authorization decisions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-22818?
Available Upgrade Options
- hono
- <4.11.4 → Upgrade to 4.11.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/honojs/hono
- https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134
- https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134
- https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
- https://osv.dev/vulnerability/GHSA-3vhc-576x-3qv4
- https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
- https://nvd.nist.gov/vuln/detail/CVE-2026-22818
What are Similar Vulnerabilities to CVE-2026-22818?
Similar Vulnerabilities: CVE-2015-2016 , CVE-2020-17524 , CVE-2020-25648 , CVE-2021-29490 , CVE-2022-21447
