What is the CVSS score of CVE-2026-29045?

CVE-2026-29045 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Hono are affected by CVE-2026-29045?

CVE-2026-29045 affects Hono web framework deployments where static file serving is combined with middleware-based access controls, potentially allowing attackers to bypass authentication and access…. A patch is available.

Hono CVE-2026-29045

HIGH

Improper Handling of URL Encoding (Hex Encoding) (CWE-177)

2026-03-04 security-advisories@github.com

GHSA-q5qw-h33p-qvwr

Authentication Bypass Hono

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

Patch released

Mar 06, 2026 - 18:06 nvd

Patch available

CVE Published

Mar 04, 2026 - 23:16 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

10 npm packages depend on hono (10 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.12.4.

DescriptionNVD

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.

AnalysisAI

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. …

RemediationAI

Within 24 hours: Inventory all applications using Hono framework and identify those with serveStatic and route-based middleware protections enabled. Within 7 days: Apply vendor patch to upgrade Hono to version 4.12.4 or later across all affected systems; conduct testing in non-production environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-29045 vulnerability details – vuln.today

Back

Hono CVE-2026-29045

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code