AWS
CVE-2026-27700
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 6 npm packages depend on hono (4 direct, 2 indirect)
Ecosystem-wide dependent count for version 4.12.0.
DescriptionGitHub Advisory
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the ipRestriction middleware) to be bypassed. Version 4.12.2 patches the issue.
AnalysisAI
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Technical ContextAI
Classified as CWE-290 (Authentication Bypass by Spoofing). Affects Hono. Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mecha
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal
Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin manag
Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to
Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_im
Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.
GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system
Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.
The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege esca
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows una
Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authe
BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on beh
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xh87-mx6m-69f3