CVE-2026-29087 (GCVE-0-2026-29087)

Vulnerability from cvelistv5 – Published: 2026-03-06 17:03 – Updated: 2026-03-06 18:02
VLAI?
Title
@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Summary
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
honojs node-server Affected: < 1.19.10
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29087",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T17:58:30.981713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T18:02:36.517Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-server",
          "vendor": "honojs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.19.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server\u0027s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T17:03:30.412Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"
        },
        {
          "name": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"
        }
      ],
      "source": {
        "advisory": "GHSA-wc8c-qw6v-h7f6",
        "discovery": "UNKNOWN"
      },
      "title": "@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29087",
    "datePublished": "2026-03-06T17:03:30.412Z",
    "dateReserved": "2026-03-03T20:51:43.484Z",
    "dateUpdated": "2026-03-06T18:02:36.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-29087",
      "date": "2026-04-14",
      "epss": "0.00016",
      "percentile": "0.03586"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29087\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T18:16:19.757\",\"lastModified\":\"2026-04-14T17:36:58.930\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server\u0027s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.\"},{\"lang\":\"es\",\"value\":\"@hono/node-server permite ejecutar la aplicaci\u00f3n Hono en Node.js. Antes de la versi\u00f3n 1.19.10, al usar el servicio de archivos est\u00e1ticos de @hono/node-server junto con protecciones de middleware basadas en rutas (por ejemplo, protegiendo /admin/*), una decodificaci\u00f3n de URL inconsistente puede permitir que los recursos est\u00e1ticos protegidos sean accedidos sin autorizaci\u00f3n. En particular, las rutas que contienen barras codificadas (%2F) pueden ser evaluadas de manera diferente por la coincidencia de enrutamiento/middleware frente a la resoluci\u00f3n de rutas de archivos est\u00e1ticos, lo que permite una omisi\u00f3n donde el middleware no se ejecuta pero el archivo est\u00e1tico a\u00fan es servido. Este problema ha sido parcheado en la versi\u00f3n 1.19.10.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.19.10\",\"matchCriteriaId\":\"8D3962AC-2C38-4050-BDD6-A695D5B1F50F\"}]}]}],\"references\":[{\"url\":\"https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29087\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T17:58:30.981713Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:02:31.957Z\"}}], \"cna\": {\"title\": \"@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware\", \"source\": {\"advisory\": \"GHSA-wc8c-qw6v-h7f6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"honojs\", \"product\": \"node-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.19.10\"}]}], \"references\": [{\"url\": \"https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6\", \"name\": \"https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e\", \"name\": \"https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server\u0027s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T17:03:30.412Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29087\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T18:02:36.517Z\", \"dateReserved\": \"2026-03-03T20:51:43.484Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T17:03:30.412Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.