12 matches found
Exposure of Resource to Wrong Sphere
Overview Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the TokenKeyResolver function. An attacker can bypass authentication and gain unauthorized access by exploiting the shared static JWKS cache across multiple schemes, allowing a key fetched for one...
EUVD-2026-32927
Hono: JWT middleware accepts any Authorization scheme, not only Bearer...
GHSA-F577-QRJJ-4474 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Summary The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier such a...
PT-2026-46859
Summary The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier such a...
CVE-2026-47673
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47673
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47673
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47673
CVE-2026-47673 concerns the Hono web framework. Before version 4.12.21, the jwt and jwk middlewares did not validate that the Authorization header used the Bearer scheme. Any two-part header value—regardless of the scheme name in the first position—proceeds to JWT verification. As a result, a req...
PT-2026-44413
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description The jwt and jwk middlewares fail to verify that the Authorization header value utilizes the Bearer scheme. Consequently, any two-part header value is processed for JWT verification regardless of the...
keycloak: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters such as tabs as separators and tolerates case variations that deviate from RFC 6750 specifications...