Authorization Weakness in Hono Web Application Framework
CVE-2026-29045

7.5HIGH

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 4 March 2026

What is CVE-2026-29045?

The Hono Web Application Framework, which supports various JavaScript runtimes, exhibited an authorization bypass issue prior to version 4.12.4. An inconsistency in URL decoding methods between the routing and static file serving components allowed attackers to access protected resources without proper authorization. Specifically, the routing mechanism leveraged decodeURI, while the static serving function utilized decodeURIComponent. This mismatch enabled attackers to exploit encoded slashes (%2F) in URLs, thus circumventing middleware protections and accessing restricted filesystem paths. This vulnerability has been addressed in the patched version 4.12.4.

Affected Version(s)

hono < 4.12.4

References

https://github.com/honojs/hono/security/advisories/GHSA-q...

x_refsource_CONFIRM

https://github.com/honojs/hono/commit/6a0607a929d888893f0...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-29045 Data

JSON

Honojs

What is CVE-2026-29045?

Affected Version(s)

References

CVSS V3.1

Timeline