Medium severity4.8NVD Advisory· Published May 28, 2026

CVE-2026-47673

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hono JWT middleware accepts any Authorization scheme header, not just Bearer, allowing authentication bypass of network-layer controls.

Vulnerability

Hono versions prior to 4.12.21 contain a flaw in the jwt and jwk middlewares: they do not verify that the Authorization header value uses the Bearer scheme as required by RFC 6750. The middleware splits the header value on whitespace and uses the second token as the JWT to verify, regardless of the scheme name in the first position. Any two-part header value (e.g., Basic ) proceeds to JWT verification. The affected components are @hono/hono versions before 4.12.21.

Exploitation

An attacker who possesses a valid JWT can present it under a non-Bearer scheme identifier (such as Basic or Token) in the Authorization header. No additional authentication or user interaction is required beyond having a valid JWT. The attacker sends a request with a crafted header like Authorization: Basic <valid_jwt>, and the middleware accepts the token and authenticates the request identically to a correctly formed Bearer request.

Impact

Successful exploitation allows the attacker to bypass network-layer security controls (e.g., WAF rules, API gateways, reverse proxies) that inspect or filter requests based on the authorization scheme identifier. This can lead to token reuse across authentication schemes in applications using multiple authorization mechanisms. The attacker gains the same privileges as if they had used the correct Bearer scheme, but their request may evade security policies tied to the Bearer identifier.

Mitigation

The vulnerability is fixed in Hono version 4.12.21, released as per the advisory [1]. Users should upgrade to 4.12.21 or later. There is no known workaround other than upgrading; no KEV listing has been published.

References

JWT middleware accepts any Authorization scheme, not only Bearer

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Honojs/Honoinferred2 versions
<4.12.21+ 1 more
- (no CPE)range: <4.12.21
- (no CPE)range: <4.12.21

Patches

a83ddb882e0c

4.12.21

https://github.com/honojs/honoYusuke WadaMay 19, 2026Fixed in 4.12.21via release-tag

commit

1 file changed · +1 −1

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "4.12.20",
+  "version": "4.12.21",
   "description": "Web framework built on Web Standards",
   "main": "dist/cjs/index.js",
   "type": "module",

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474nvd

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000