What is the CVSS score of CVE-2026-54290?

CVE-2026-54290 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N.

Which versions of Hono are affected by CVE-2026-54290?

Hono web framework versions before 4.12.25 contain a critical vulnerability allowing attackers to steal authentication cookies and session credentials from users through CORS misconfiguration,…. A patch is available.

How to fix or mitigate CVE-2026-54290?

24 hours: Audit all production Hono instances for CORS middleware configuration; immediately restrict allowed origins to explicit domains and disable credentials:true if cross-origin authentication is not required. 7 days: Develop and test deployment plan for Hono version 4.12.25 or later; implement SameSite=Strict on authentication cookies and monitor Hono project repository for patches. 30 days: Complete upgrade of all Hono deployments to version 4.12.25 or later and verify CORS configuration post-deployment.

Hono CVE-2026-54290

HIGH

Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)

2026-06-16 https://github.com/honojs/hono

GHSA-88fw-hqm2-52qc

Cors Misconfiguration Information Disclosure

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

vuln.today AI

7.1 HIGH

Network-reachable via victim's browser (AV:N), trivial to trigger (AC:L), no attacker auth (PR:N), victim must visit malicious page (UI:R), full read of authenticated responses (C:H), limited writes via CSRF-style calls (I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 16, 2026 - 14:51 vuln.today

Analysis Generated

Jun 16, 2026 - 14:51 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

63,231 npm packages depend on hono (4,422 direct, 59,135 indirect)

Ecosystem-wide dependent count for version 4.12.25.

DescriptionGitHub Advisory

Summary

With credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins.

Details

The spec forbids Access-Control-Allow-Origin: * with credentials and browsers reject it, so this configuration used to fail closed. In affected versions the middleware reflects the request Origin instead, so it now succeeds for every origin, including null. The preflight also echoes the requested headers back, approving non-simple credentialed requests too.

This issue arises when an application enables credentials: true and leaves origin unset or set to the wildcard.

Impact

Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests. This affects applications that enable credentialed CORS without restricting origin.

AnalysisAI

Cross-origin credential exposure in Hono web framework versions prior to 4.12.25 allows arbitrary third-party sites to read responses from cookie-authenticated endpoints when applications enable the CORS middleware with credentials: true and leave origin unset. The middleware reflects the request Origin header alongside Access-Control-Allow-Credentials: true, bypassing the browser's standard wildcard-with-credentials safeguard. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify Hono app with credentialed CORS

Delivery

Host malicious page on attacker origin

Exploit

Lure authenticated victim to page

Execution

Browser sends credentialed cross-origin request

Persist

Hono reflects Origin and Allow-Credentials

Impact

Attacker script reads response and forges state-changing calls

Access

Identify Hono app with credentialed CORS

Delivery

Host malicious page on attacker origin

Exploit

Lure authenticated victim to page

Execution

Browser sends credentialed cross-origin request

Persist

Hono reflects Origin and Allow-Credentials

Impact

Attacker script reads response and forges state-changing calls

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target Hono application to instantiate the CORS middleware with credentials: true while omitting the origin option or setting it to the wildcard '*' - applications using an explicit origin allowlist are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N (7.1 High) accurately captures the threat: network-reachable, low complexity, no authentication required of the attacker, but user interaction (the victim must visit an attacker-controlled page while authenticated) and only partial integrity impact since state-changing actions are limited by what the application's authenticated endpoints permit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers evil.example, hosts a page with JavaScript that issues fetch('https://victim-app.example/api/account', {credentials: 'include'}), and lures a logged-in victim to visit it via phishing or a malvertising link. Hono's CORS middleware reflects evil.example as the allowed origin and sets Access-Control-Allow-Credentials: true, so the victim's browser permits the request, attaches session cookies, and exposes the response body to the attacker's script - enabling both data exfiltration and credentialed state-changing actions like password or email changes.
Remediation	Vendor-released patch: upgrade hono to version 4.12.25 or later, which restores fail-closed behavior for the credentials + wildcard origin combination - see the GitHub Security Advisory at https://github.com/honojs/hono/security/advisories/GHSA-88fw-hqm2-52qc. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all production Hono instances for CORS middleware configuration; immediately restrict allowed origins to explicit domains and disable credentials:true if cross-origin authentication is not required. …

Threat intelligence, references, and detailed analysis are available after sign-in.