Cookie Parsing Vulnerability in Hono Web Application Framework
CVE-2026-39410

4.8MEDIUM

Key Information:

Vendor

Honojs

Status
Hono
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39410?

The Hono Web Application Framework has a vulnerability where a mismatch in cookie parsing between browsers and the parse() function allows cookie prefix protections to be bypassed. This flaw means that cookies treated as different by the browser may be normalized to the same key by parse(), leading attacker-controlled cookies being able to override legitimate ones. This security concern affects all versions prior to 4.12.12 and has been addressed in that release.

Affected Version(s)

hono < 4.12.12

References

https://github.com/honojs/hono/security/advisories/GHSA-r...
x_refsource_CONFIRM
https://github.com/honojs/hono/commit/cc067c85592415cb188...
x_refsource_MISC
https://github.com/honojs/hono/releases/tag/v4.12.12
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.