JWT Algorithm Confusion Attack: Two Active CVEs in 2026

Two JWT algorithm confusion attack CVEs dropped in January 2026, both with public proof-of-concept exploits, both exploiting the exact same root cause: JWT libraries that let the token's own alg header dictate how signature verification works. CVE-2026-22817 hit Hono — one of the fastest-growing edge-runtime frameworks — with a CVSS score of 8.2. CVE-2026-23993 hit HarbourJwt, a Go library, with a bypass so simple it requires zero cryptographic knowledge. If you run anything that validates JWTs, this is your wake-up call to check whether your library actually pins the algorithm. I spent a morning decoding forged tokens from both POC exploits using the PinusX JWT Decoder , and the signatures of a weaponized JWT are obvious once you know what to look for. Here's the breakdown. CVE-2026-22817: Hono's RS256-to-HS256 Swap (CVSS 8.2) Hono is a lightweight web framework that runs on Cloudflare Workers, Deno, Bun, and Node.js. Its built-in JWT middleware, in all versions before 4.11.4, was vul