Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cache Middleware in Hono, versions prior to 4.12.18, fails to honor Vary: Authorization and Vary: Cookie headers. A cached response for an authenticated request may be returned to a different user, exposing data that should remain private. This flaw falls under CWE-524, which deals with data leakage due to inappropriate caching.

Affected Systems

The affected product is Hono, a JavaScript web framework. Any deployment of Hono earlier than version 4.12.18 is susceptible, regardless of the JavaScript runtime it runs on.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3, indicating moderate risk. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via legitimate web traffic to the application: a malicious user can request a cached page belonging to another authenticated user, then retrieve that cached content. Successful exploitation requires that the application is configured to cache authenticated responses and that the attacker can provoke those requests.

Generated by OpenCVE AI on May 13, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to Hono version 4.12.18 or later.
  • When caching is required for authenticated endpoints, configure the middleware to skip caching or to include Authority and Cookie in the vary header so that each user’s cache key is unique.
  • Audit all endpoints that return user‑specific data and disable caching for those responses or enforce strict authentication checks before caching.

Generated by OpenCVE AI on May 13, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p77w-8qqv-26rm Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
History

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*
Vendors & Products Hono
Hono hono

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
Title Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T14:07:53.005Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44457

cve-icon Vulnrichment

Updated: 2026-05-18T14:07:30.280Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:57.700

Modified: 2026-05-13T18:34:01.020

Link: CVE-2026-44457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses