GHSA-F577-QRJJ-4474
Vulnerability from github – Published: 2026-06-04 17:52 – Updated: 2026-06-04 17:52Summary
The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request.
Details
When processing an Authorization (or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token is bearer (case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using the Bearer scheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.
This discrepancy means that scheme-aware external controls — such as WAF rules, API gateways, or reverse proxies that apply policies specific to the Bearer scheme identifier — can be bypassed by presenting a valid JWT under a different scheme name.
This issue affects hono/jwt and hono/jwk middleware.
Impact
An attacker who possesses a valid JWT may present it under a non-Bearer scheme identifier and still pass middleware authentication.
This may lead to:
- Bypass of network-layer security controls that inspect or filter requests based on the authorization scheme identifier
- Token reuse across authentication schemes in applications that use multiple authorization mechanisms
This issue affects applications where hono/jwt or hono/jwk authentication is combined with external controls that enforce scheme-based access policies.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47673"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T17:52:04Z",
"nvd_published_at": "2026-05-28T17:16:32Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `jwt` and `jwk` middlewares do not verify that the `Authorization` header value uses the`Bearer` scheme. Any two-part header value \u2014 regardless of the scheme name in the first position \u2014 proceeds to JWT verification. A request presenting a valid JWT under a non-`Bearer` scheme identifier (such as `Basic` or `Token`) is authenticated identically to a correctly formed `Bearer` request.\n\n### Details\n\nWhen processing an `Authorization` (or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token is `bearer` (case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using the `Bearer` scheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.\n\nThis discrepancy means that scheme-aware external controls \u2014 such as WAF rules, API gateways, or reverse proxies that apply policies specific to the `Bearer` scheme identifier \u2014 can be bypassed by presenting a valid JWT under a different scheme name.\n\nThis issue affects `hono/jwt` and `hono/jwk` middleware.\n\n### Impact\n\nAn attacker who possesses a valid JWT may present it under a non-`Bearer` scheme identifier and still pass middleware authentication.\n\nThis may lead to:\n\n- Bypass of network-layer security controls that inspect or filter requests based on the authorization scheme identifier\n- Token reuse across authentication schemes in applications that use multiple authorization mechanisms\n\nThis issue affects applications where `hono/jwt` or `hono/jwk` authentication is combined with external controls that enforce scheme-based access policies.",
"id": "GHSA-f577-qrjj-4474",
"modified": "2026-06-04T17:52:04Z",
"published": "2026-06-04T17:52:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47673"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/commit/5463db2735476959b8af67756f4e513f4fe19115"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/releases/tag/v4.12.21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.