Lack of Cookie Name Validation in Hono by HonoJS
CVE-2026-56762

6.9MEDIUM

Key Information:

Vendor: Hono
Status: Hono
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-56762?

The Hono framework prior to version 4.12.12 exhibits a flaw in its handling of cookie names within the setCookie(), serialize(), and serializeSigned() functions. This vulnerability allows for the inclusion of invalid characters, such as control characters, in user-controlled cookie names. The resulting malformed Set-Cookie header can lead to erroneous runtime behaviors in environments like Node.js and Cloudflare Workers, where such invalid headers may trigger runtime errors instead of confirmed security exploits. Consequently, this issue primarily jeopardizes the reliability and performance of applications using the Hono framework rather than exposing them to direct header injection risks.

Affected Version(s)

Hono 0 < 4.12.12

Hono 4.12.12

References

https://github.com/honojs/hono/security/advisories/GHSA-2...

vendor-advisory

https://www.vulncheck.com/advisories/hono-missing-cookie-...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

athuljayaram

CVE-2026-56762 Data

JSON