CVE-2026-44457— Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Possible ATT&CK Techniques 1AI
T1552.004 · Private KeysGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44457
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过缓存导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hono 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 4.12.18之前版本存在安全漏洞,该漏洞源于缓存中间件未跳过对声明每用户差异的响应的缓存,可能导致一个已认证用户的缓存响应被提供给后续不同用户的请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44457
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44457
请登录查看更多情报信息。
- https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rmx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44457
Same Patch Batch · honojs · 2026-05-13 · 5 CVEs total
| CVE-2026-44456 | 6.5 MEDIUM | Hono: bodyLimit() can be bypassed for chunked / unknown-length requests |
| CVE-2026-44455 | 4.7 MEDIUM | Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection |
| CVE-2026-44458 | 4.3 MEDIUM | Hono: CSS Declaration Injection via Style Object Values in JSX SSR |
| CVE-2026-44459 | 3.8 LOW | Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() |
IV. Related Vulnerabilities
Same product: hono
- CVE-2026-44459
Hono: Improper validation of NumericDate claims (exp, nbf, i - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J - CVE-2026-44456
Hono: bodyLimit() can be bypassed for chunked / unknown-leng - CVE-2026-44455
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML I - CVE-2026-39410
Hono has a non-breaking space prefix bypass in cookie name h
Same vendor: honojs
- CVE-2026-44459
Hono: Improper validation of NumericDate claims (exp, nbf, i - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J - CVE-2026-44456
Hono: bodyLimit() can be bypassed for chunked / unknown-leng - CVE-2026-44455
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML I - CVE-2026-39410
Hono has a non-breaking space prefix bypass in cookie name h
Same weakness: CWE-524
- CVE-2026-6907
Potential exposure of private data due to incorrect handling - CVE-2026-22741
Static resource cache poisoning in Spring MVC and WebFlux - CVE-2025-14806
IBM Planning Analytics Information Disclosure - CVE-2026-27205
Flask session does not add `Vary: Cookie` header when access - CVE-2026-25540
Mastodon's signature-dependent ActivityPub collection respon
V. Comments for CVE-2026-44457
No comments yet