CVE-2026-44459: Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

May 9, 2026 (updated May 14, 2026)

Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.

References

github.com/advisories/GHSA-hm8q-7f3q-5f36
github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36
nvd.nist.gov/vuln/detail/CVE-2026-44459

Code Behaviors & Features

Detect and mitigate CVE-2026-44459 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →