Package: hono (npm) Vulnerability: JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback) Affected versions: < 4.11.4 Patched versions: 4.11.4 Severity: High (8.2/10) CVE ID: CVE-2026-22818 CVSS v3 base metrics: - Attack vector: Network - Attack complexity: Low - Privileges required: None - User interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: High - Availability: None Weaknesses: CWE-347 Credits: calcloc134, devsanthatham Summary: A flaw in Hono's JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. Resolution: Update to the latest patched release. The middleware now requires an explicit allowlist of asymmetric algorithms when verifying tokens.