CVE-2026-47673

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

History

29 May 2026, 17:05

Type	Values Removed	Values Added
First Time		Hono Hono hono
References	~~() https://github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474 -~~	() https://github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474 - Vendor Advisory
CPE		cpe:2.3:a:hono:hono::::::node.js::*

28 May 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-28 17:16

Updated : 2026-05-29 17:05

NVD link : CVE-2026-47673

Mitre link : CVE-2026-47673

CVE.ORG link : CVE-2026-47673

JSON object : View

Products Affected

hono

hono

CWE

CWE-285

Improper Authorization

{"id": "CVE-2026-47673", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-05-28T17:16:32.233", "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value \u2014 regardless of the scheme name in the first position \u2014 proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21."}], "lastModified": "2026-05-29T17:05:59.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "797B2A25-4B24-46A9-8EF4-35F6F1214A7C", "versionEndExcluding": "4.12.21"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}