Caching Vulnerability in Hono Web Framework by Hono
CVE-2026-44457

5.3MEDIUM

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44457?

The Hono web application framework has a caching flaw that affects versions prior to 4.12.18. It fails to properly handle responses that require per-user variance when using Vary headers such as Vary: Authorization or Vary: Cookie. This oversight can lead to exposure of sensitive data, where cached responses intended for one authenticated user may inadvertently be served to other users, compromising data confidentiality and user privacy. The issue has been addressed in version 4.12.18, which now correctly bypasses caching for requests that necessitate user-specific responses.

Affected Version(s)

hono < 4.12.18

References

https://github.com/honojs/hono/security/advisories/GHSA-p...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44457 Data

JSON

Honojs

What is CVE-2026-44457?

Affected Version(s)

References

CVSS V3.1

Timeline