CVE-2026-47673: Hono JWT Middleware Bearer Scheme Validation Bypass
Hono, a JavaScript Web application framework, contains a flaw in its JWT authentication middleware that fails to enforce the Bearer scheme requirement. Prior to version 4.12.21, the jwt and jwk middlewares accept any two-part Authorization header value—regardless of whether it uses Bearer, Basic, Token, or any other scheme name—and proceed directly to JWT verification if the token is valid. This means an attacker could authenticate by presenting a valid JWT under an incorrect scheme (like Basic auth) and gain the same access as a properly formatted Bearer token request. The vulnerability is fixed in version 4.12.21.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-285
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient scheme validation in Hono's jwt and jwk middleware implementations. The middleware logic checks for the presence of a two-part Authorization header but does not verify that the first part matches the Bearer scheme before proceeding to JWT token validation. An Authorization header formatted as "Basic <valid_jwt>" or "Token <valid_jwt>" will be accepted and the JWT payload will be verified, bypassing the intended Bearer-only authentication model. This validation gap allows authentication to succeed under non-standard scheme identifiers, violating the OAuth 2.0 Bearer Token Usage specification (RFC 6750) which mandates Bearer as the exclusive scheme for JWT-based bearer tokens.
Business impact
Organizations using Hono applications rely on JWT-based authentication to control access to APIs and protected resources. This vulnerability reduces the security posture of that authentication layer by allowing attackers with a valid JWT to bypass scheme enforcement. In practice, an attacker who obtains a valid JWT—through token interception, compromise of a token-issuing service, or other means—gains a more flexible attack vector. They can present the token under alternative schemes that may be subject to different rate limiting, logging, or inspection rules, or they may exploit this to confuse security controls that depend on scheme-specific behavior. For applications that rely on scheme enforcement as part of a defense-in-depth strategy, this creates an authentication control weakness.
Affected systems
Hono versions prior to 4.12.21 are affected. Any deployment using the jwt or jwk middleware for authentication is at risk. The vulnerability exists across all JavaScript runtimes supported by Hono (Node.js, Deno, Bun, Cloudflare Workers, etc.), as the flawed validation logic is framework-level, not runtime-specific.
Exploitability
Exploitability requires two preconditions: the attacker must possess or be able to obtain a valid JWT issued by the application's token service, and the application must be running a vulnerable version of Hono with jwt or jwk middleware enabled. The vulnerability itself is trivial to exploit once those conditions are met—simply crafting an Authorization header with an alternative scheme name and the valid JWT requires only basic HTTP manipulation. No special tooling, network conditions, or user interaction is needed. The CVSS score reflects the relatively moderate impact (read and modify access, partial confidentiality and integrity loss) combined with the requirement that a valid token must already exist, which raises the attack complexity.
Remediation
Upgrade Hono to version 4.12.21 or later. This version introduces proper Bearer scheme validation in the jwt and jwk middleware, ensuring that only Authorization headers beginning with "Bearer " (case-insensitive) are accepted for JWT verification. Verify the upgrade across all environments (development, staging, production) where Hono-based applications are deployed. No configuration changes are required post-upgrade; the fix is transparent to application code.
Patch guidance
1. Review your Hono dependency version in package.json or equivalent dependency manifest. 2. Update to version 4.12.21 or the latest stable release. 3. Run your dependency lock file update (npm install, yarn install, or pnpm install) and commit changes. 4. Re-run your authentication test suite to confirm JWT validation behavior remains intact. 5. Deploy the updated application across all environments. 6. Monitor application logs post-deployment for any unexpected authentication rejections (which would indicate overly permissive schemes were previously in use).
Detection guidance
Review HTTP request logs for Authorization headers that contain valid JWT tokens but use non-Bearer scheme identifiers (e.g., "Authorization: Basic eyJ...", "Authorization: Token eyJ..."). Inspect middleware configuration in your Hono codebase to confirm whether jwt or jwk middleware is active. If you have network-level traffic inspection in place, look for patterns where the same JWT appears with varying scheme names across different requests. Enable debug logging in Hono's middleware layer (if available) to capture scheme information for each auth attempt. Check for any unusual authentication activity correlating to the introduction of alternative scheme names in your HTTP traffic.
Why prioritize this
This vulnerability merits prompt but not emergency attention. The CVSS score of 4.8 (MEDIUM) reflects that exploitation requires pre-existing valid tokens and does not grant complete system compromise. However, it does weaken a critical authentication control. The fact that it is not yet in CISA's Known Exploited Vulnerabilities catalog suggests active exploitation in the wild is not widespread. Prioritize patching in public-facing or internet-accessible Hono applications and in environments processing sensitive data or identity verification. Delay is acceptable only if your threat model depends entirely on scheme-based controls being unbypassable—which is never the case with modern security practices—or if your Hono instances are isolated from untrusted networks.
Risk score, explained
The CVSS 3.1 score of 4.8 is derived from: Network Attack Vector (AV:N) reflecting that the flaw can be exploited over the network; High Attack Complexity (AC:H) because the attacker must already possess a valid JWT; No Privilege Requirement (PR:N) as any unauthenticated user can submit a crafted request; No User Interaction (UI:N); Unchanged Scope (S:U); Low Confidentiality Impact (C:L) and Low Integrity Impact (I:L) indicating partial unauthorized access and data modification capability; and No Availability Impact (A:N). The HIGH attack complexity is the primary moderating factor, preventing a HIGHER severity rating despite the network-accessible nature and authentication bypass nature of the flaw.
Frequently asked questions
If I update to 4.12.21, will existing client code that uses the correct Bearer scheme continue to work?
Yes. The fix enforces Bearer scheme validation but does not change the JWT verification logic itself. Clients already sending properly formatted "Authorization: Bearer <token>" headers will see no difference. Only requests using incorrect scheme names will begin to fail, which is the intended security improvement.
Could an attacker use this to forge JWTs, or does it only enable misuse of existing valid tokens?
This vulnerability does not enable token forgery. It only allows an attacker who already possesses a valid JWT to present it using a non-standard scheme and still gain authentication. If your token-issuing service is secure, the attacker's JWT must come from legitimate channels, a compromised service, or token interception. The vulnerability amplifies the impact of such a compromise but does not create one.
Do I need to rotate existing JWTs after patching?
No. The patch enforces stricter scheme validation without changing the cryptographic validity or lifetime of tokens themselves. Existing JWTs remain valid; they will simply be rejected if presented under a non-Bearer scheme after the upgrade. This is the correct behavior and does not require token rotation.
Why is this a MEDIUM severity and not LOW, given that a valid token must already exist?
CVSS MEDIUM reflects the combination of network accessibility, the authentication control weakness, and partial confidentiality and integrity loss. While the attacker must already have a valid token, the vulnerability still represents a meaningful security gap—it weakens the authentication posture by allowing scheme bypass. CVSS factors attack vector and impact heavily; the requirement for a pre-existing token is reflected in the HIGH attack complexity, not in a downgrade to LOW severity.
This analysis is provided for informational purposes and reflects the vulnerability details as published. Patch version numbers, affected product versions, and CVSS scores are derived from official sources. Organizations should verify compatibility and test patches in non-production environments before deployment. SEC.co does not provide guarantee of accuracy or timeliness; consult Hono's official security advisory and GitHub repository for the most current guidance. No proof-of-concept or weaponizable exploit code is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel