CVE-2026-29087
Published: 06 March 2026
Summary
CVE-2026-29087 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Hono Node-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote authorization bypass in a public-facing Node.js web server (Hono static file handler), directly enabling adversaries to exploit the application for unauthorized access to protected resources without authentication.
NVD Description
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In…
more
particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Deeper analysisAI
CVE-2026-29087 is a vulnerability in the @hono/node-server package, which enables running Hono applications on Node.js. In versions prior to 1.19.10, inconsistent URL decoding occurs when combining static file serving with route-based middleware protections, such as those for paths like /admin/*. Paths containing encoded slashes (%2F) are evaluated differently during routing and middleware matching compared to static file path resolution, allowing protected static resources to be accessed without authorization as the middleware is bypassed but the file is still served.
Unauthenticated remote attackers can exploit this issue with low complexity by sending crafted requests using encoded slashes in the path. For example, a protected resource under /admin/ could be accessed via a URL like /admin%2Fsecretfile, evading middleware checks while the static handler resolves and delivers the file. This leads to unauthorized disclosure of sensitive static content, reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapped to CWE-863 (Incorrect Authorization).
The vulnerability has been patched in @hono/node-server version 1.19.10. Mitigation involves updating to this version or later. Additional details on the fix are provided in the GitHub security advisory at GHSA-wc8c-qw6v-h7f6 and the patching commit at 455015be1697dd89974a68b70350ea7b2d126d2e.
Details
- CWE(s)