CVE-2026-27700
Published: 25 February 2026
Summary
CVE-2026-27700 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Hono Hono. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in the Hono AWS Lambda adapter's getConnInfo() function by patching to version 4.12.2, preventing incorrect parsing of the X-Forwarded-For header.
Enforces IP-based access controls at the network boundary using the ALB's accurate client IP (appended at header end), blocking spoofed requests that bypass application-level ipRestriction middleware.
Validates and correctly parses proxy headers like X-Forwarded-For to identify the true client IP from trusted proxies such as ALB, mitigating attacker-controlled spoofing of the first header value.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Hono web framework (AWS Lambda adapter) directly enables exploitation via spoofed X-Forwarded-For header to bypass IP access controls and reach protected endpoints.
NVD Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from…
more
the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
Deeper analysisAI
CVE-2026-27700 affects Hono, a web application framework supporting any JavaScript runtime, specifically in versions 4.12.0 and 4.12.1. The vulnerability resides in the AWS Lambda adapter (`hono/aws-lambda`) when deployed behind an Application Load Balancer (ALB). The `getConnInfo()` function erroneously selects the first value from the `X-Forwarded-For` header as the client IP. Since AWS ALB appends the real client IP to the end of this header, the initial value remains attacker-controlled, enabling bypass of IP-based access controls such as the `ipRestriction` middleware. The issue is rated at CVSS 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-290 and CWE-345.
Any unauthenticated attacker with network access can exploit this by spoofing the `X-Forwarded-For` header in requests to the ALB-fronted Hono application. By setting the first entry to an allowed IP, they can evade restrictions enforced by IP-dependent mechanisms, potentially gaining unauthorized access to protected endpoints and exposing sensitive data (high confidentiality impact) or making minor modifications (low integrity impact).
The vulnerability is patched in Hono version 4.12.2. Security practitioners should upgrade to this version immediately. Relevant resources include the fixing commit at https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7, the release notes at https://github.com/honojs/hono/releases/tag/v4.12.2, and the security advisory at https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3.
Details
- CWE(s)