Vulnerability DatabaseCVE-2026-47673
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-47673
Published:May 28, 2026
Updated:June 13, 2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21.
Affected Packages
hono (NPM):
Affected version(s) >=0.0.1 <4.12.21
Fix Suggestion:
Update to version 4.12.21
Related Resources (5)
https://github.com/honojs/hono/security/advisories/GHSA-f577-qrjj-4474
https://github.com/honojs/hono
https://nvd.nist.gov/vuln/detail/CVE-2026-47673
https://github.com/honojs/hono/releases/tag/v4.12.21
https://github.com/honojs/hono/commit/5463db2735476959b8af67756f4e513f4fe19115
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Authorization
CWE-285
EPSS
Base Score:
0.04