Improper Validation in Hono Web Application Framework
CVE-2026-44459

3.8LOW

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44459?

The Hono Web Application Framework contains a vulnerability that arises from improper validation of JSON Web Token (JWT) NumericDate claims, specifically exp, nbf, and iat. This flaw enables tokens with non-compliant values to bypass essential time-based validation checks. The exploit is not available to anonymous users, as it requires a malformed claim to be validated by the verify() function—usually triggered by the application itself generating such tokens or when an attacker gains control over the signing key. This issue is addressed in version 4.12.18 of the framework.

Affected Version(s)

hono < 4.12.18

References

https://github.com/honojs/hono/security/advisories/GHSA-h...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44459 Data

JSON

Honojs

What is CVE-2026-44459?

Affected Version(s)

References

CVSS V3.1

Timeline