CVE-2026-47673 MEDIUM

CVE-2026-47673: Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Vendor Honojs
Product hono
Weakness CWE-285
Published May 28, 2026
Last update May 30, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-7947 jshERP Account delete improper authorization CVE-2020-5251 Information disclosure in parse-server CVE-2025-10319 JeecgBoot Tenant Log Export exportLog improper authorization CVE-2024-5053 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification CVE-2023-42453 Improper validation of receipts allows forged read receipts in matrix synapse