CVE-2026-44459 LOW

CVE-2026-44459: Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Vendor Honojs
Product hono
Weakness CWE-1284
Published May 13, 2026
Last update May 13, 2026

CVSS base score

3.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated