SCA: security update for hono (GHSA-f67f-6cw9-8mq4)

medium Tenable Cloud Security Plugin ID 436738

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4,
there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to
influence signature verification when the selected JWK did not explicitly specify an algorithm. This could
enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part
of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents
algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header
values. This vulnerability is fixed in 4.11.4. (CVE-2026-22817)

See Also

https://github.com/advisories/GHSA-f67f-6cw9-8mq4

Plugin Details

Severity: Medium

ID: 436738

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-22817

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/13/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-22817

cwe: CWE-347