QSearchQSearch

CVE-2026-47673

4.8 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime

Published: 2026-05-28 · Last updated: 2026-05-29

Severity and scoring

CVSS
4.8 MEDIUM
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-285

Affected products

VendorProduct
honohono

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-47676 Hono is a Web application framework that provides support for any JavaScript runtime (5.3 MEDIUM)
  • CVE-2026-47675 Hono is a Web application framework that provides support for any JavaScript runtime (4.3 MEDIUM)
  • CVE-2026-47674 Hono is a Web application framework that provides support for any JavaScript runtime (5.3 MEDIUM)

Same CWE

  • CVE-2026-47342 A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue...
  • CVE-2026-46668 SpiceDB is an open source database system for creating and managing security-critical application permissions
  • CVE-2026-47298 Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network (8.0 HIGH)
  • CVE-2026-45503 Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network (8.1 HIGH)
  • CVE-2026-45490 Improper authorization in .NET allows an authorized attacker to elevate privileges locally (7.8 HIGH)