CVE-2026-24473— Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

EPSS 0.01% · P3 Updated Jan 28, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-24473

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Source: NVD (National Vulnerability Database)

Vulnerability Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

Hono 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 4.11.7之前版本存在安全漏洞，该漏洞源于Cloudflare Workers适配器的静态服务中间件存在信息泄露，可能导致攻击者从Workers环境中读取任意密钥。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
honojs	hono	< 4.11.7	-

II. Public POCs for CVE-2026-24473

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-24473

请登录查看更多情报信息。

Release v4.11.7 · honojs/hono · GitHubx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-24473

Same Patch Batch · honojs · 2026-01-27 · 4 CVEs total

CVE-2026-24472	5.3 MEDIUM	Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
CVE-2026-24398	4.8 MEDIUM	Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
CVE-2026-24771	4.7 MEDIUM	Hono has a Cross-site Scripting vulnerability

IV. Related Vulnerabilities

Same product: hono

Same vendor: honojs

Same weakness: CWE-200

V. Comments for CVE-2026-24473

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-24473— Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

I. Basic Information for CVE-2026-24473

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-24473

III. Intelligence Information for CVE-2026-24473

Same Patch Batch · honojs · 2026-01-27 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-24473

Leave a comment