CVE-2026-47673: CWE-285: Improper Authorization in honojs hono
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
AI Analysis
Technical Summary
The honojs hono web application framework before version 4.12.21 contains an improper authorization vulnerability (CWE-285) in its jwt and jwk middlewares. These middlewares fail to verify that the Authorization header uses the Bearer scheme, allowing any two-part header value to be accepted for JWT verification. Consequently, a valid JWT token presented with a non-Bearer scheme identifier is treated as authenticated, potentially bypassing intended scheme checks. This vulnerability has a CVSS 3.1 base score of 4.8 (medium severity) and was published on 2026-05-28. The issue is resolved in version 4.12.21.
Potential Impact
An attacker who can present a valid JWT token with a non-Bearer scheme in the Authorization header can be authenticated identically to a legitimate Bearer token request. This improper authorization could lead to unauthorized access where scheme validation is expected. The impact is limited to confidentiality and integrity with no availability impact, and the attack complexity is high with no privileges or user interaction required.
Mitigation Recommendations
Upgrade honojs hono to version 4.12.21 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 4.12.21, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory. No additional mitigations are indicated.
CVE-2026-47673: CWE-285: Improper Authorization in honojs hono
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
CVSS v3.1
Score 4.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The honojs hono web application framework before version 4.12.21 contains an improper authorization vulnerability (CWE-285) in its jwt and jwk middlewares. These middlewares fail to verify that the Authorization header uses the Bearer scheme, allowing any two-part header value to be accepted for JWT verification. Consequently, a valid JWT token presented with a non-Bearer scheme identifier is treated as authenticated, potentially bypassing intended scheme checks. This vulnerability has a CVSS 3.1 base score of 4.8 (medium severity) and was published on 2026-05-28. The issue is resolved in version 4.12.21.
Potential Impact
An attacker who can present a valid JWT token with a non-Bearer scheme in the Authorization header can be authenticated identically to a legitimate Bearer token request. This improper authorization could lead to unauthorized access where scheme validation is expected. The impact is limited to confidentiality and integrity with no availability impact, and the attack complexity is high with no privileges or user interaction required.
Mitigation Recommendations
Upgrade honojs hono to version 4.12.21 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 4.12.21, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T21:10:38.798Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1871ece29bf47b50124594
Added to database: 5/28/2026, 4:48:44 PM
Last enriched: 5/28/2026, 5:04:45 PM
Last updated: 5/29/2026, 8:21:07 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.