Skip to main content

AWS CVE-2026-27700

HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-02-25 security-advisories@github.com GHSA-xh87-mx6m-69f3
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 02, 2026 - 16:17 nvd
Patch available
CVE Published
Feb 25, 2026 - 16:23 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on hono (4 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.12.0.

DescriptionGitHub Advisory

Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the ipRestriction middleware) to be bypassed. Version 4.12.2 patches the issue.

AnalysisAI

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

Technical ContextAI

Classified as CWE-290 (Authentication Bypass by Spoofing). Affects Hono. Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mecha

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in AWS

View all
CVE-2026-27702 CRITICAL POC
9.9 Feb 25

Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal

CVE-2020-37153 CRITICAL POC
9.8 Feb 11

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin manag

CVE-2019-25333 HIGH POC
7.5 Feb 12

Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to

CVE-2026-25492 MEDIUM POC
6.5 Feb 09

Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_im

CVE-2025-20286 CRITICAL
9.9 Jun 04

Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.

CVE-2020-37114 MEDIUM POC
4.3 Feb 03

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system

CVE-2025-52454 HIGH
8.2 Jul 25

Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side

CVE-2025-61916 HIGH
7.9 Jan 05

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.

CVE-2025-4960 HIGH
7.8 Feb 19

The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege esca

CVE-2025-15115 MEDIUM
6.5 Jan 04

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows una

CVE-2026-3337 MEDIUM
5.9 Mar 02

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authe

CVE-2026-22239 MEDIUM
5.3 Jan 14

BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on beh

Share

CVE-2026-27700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy