Path Handling Inconsistency in Hono Node.js Application by Hono
CVE-2026-39406

5.3MEDIUM

Key Information:

Vendor: Honojs
Status: Node-server
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39406?

The Hono Node.js application prior to version 1.19.13 contains a path handling inconsistency that affects the serveStatic functionality. Users can inadvertently access protected static files by utilizing repeated slashes (//) in the request path. This leads to a scenario where authorization middleware, typically applied via route-based patterns (e.g., /admin/*), fails to correctly match paths containing these repeated slashes. Instead, the serveStatic function resolves these slashes, bypassing intended access controls. This vulnerability has been addressed in the release of version 1.19.13.

Affected Version(s)

node-server < 1.19.13

References

https://github.com/honojs/node-server/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39406 Data

JSON

Honojs

What is CVE-2026-39406?

Affected Version(s)

References

CVSS V3.1

Timeline