CVE-2026-24472— Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-24472
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过缓存导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hono 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 4.11.7之前版本存在代码问题漏洞,该漏洞源于缓存中间件存在信息泄露,可能导致私有或经过身份验证的响应被缓存并随后暴露给未经授权的用户。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-24472
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-24472
请登录查看更多情报信息。
- Release v4.11.7 · honojs/hono · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-24472
Same Patch Batch · honojs · 2026-01-27 · 4 CVEs total
| CVE-2026-24398 | 4.8 MEDIUM | Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing |
| CVE-2026-24771 | 4.7 MEDIUM | Hono has a Cross-site Scripting vulnerability |
| CVE-2026-24473 | Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) |
IV. Related Vulnerabilities
Same product: hono
- CVE-2026-39410
Hono has a non-breaking space prefix bypass in cookie name h - CVE-2026-39409
Hono has incorrect IP matching in ipRestriction() for IPv4-m - CVE-2026-39408
Hono has a path traversal in toSSG() allows writing files ou - CVE-2026-39407
Hono has a middleware bypass via repeated slashes in serveSt - CVE-2026-29085
Hono: SSE Control Field Injection via CR/LF in writeSSE()
Same vendor: honojs
- CVE-2026-39410
Hono has a non-breaking space prefix bypass in cookie name h - CVE-2026-39409
Hono has incorrect IP matching in ipRestriction() for IPv4-m - CVE-2026-39408
Hono has a path traversal in toSSG() allows writing files ou - CVE-2026-39407
Hono has a middleware bypass via repeated slashes in serveSt - CVE-2026-39406
@hono/node-server has a middleware bypass via repeated slash
Same weakness: CWE-524
- CVE-2026-6907
Potential exposure of private data due to incorrect handling - CVE-2026-22741
Static resource cache poisoning in Spring MVC and WebFlux - CVE-2025-14806
IBM Planning Analytics Information Disclosure - CVE-2026-27205
Flask session does not add `Vary: Cookie` header when access - CVE-2026-25540
Mastodon's signature-dependent ActivityPub collection respon
V. Comments for CVE-2026-24472
No comments yet