Skip to main content

Hono Framework CVE-2026-47673

| EUVD-2026-32927 MEDIUM
Improper Authorization (CWE-285)
2026-05-28 GitHub_M
Authentication Bypass Hono
4.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 18:02 EUVD
Analysis Generated
May 28, 2026 - 17:25 vuln.today

DescriptionNVD

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value - regardless of the scheme name in the first position - proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.

AnalysisAI

Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-47673 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy