Skip to main content

Hono Framework EUVDEUVD-2026-42326

| CVE-2026-59896 MEDIUM
Race Condition (CWE-362)
2026-07-08 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
6.5 MEDIUM

Race condition requires concurrent async requests (AC:H); no attacker credentials needed (PR:N); context leakage yields high confidentiality impact and low integrity impact across user boundaries.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 17:14 vuln.today

DescriptionCVE.org

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight request to be used after an await in an async component. This issue is fixed in version 4.12.27.

AnalysisAI

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send concurrent HTTP requests to Hono SSR endpoint
Delivery
Async JSX component yields at await boundary
Exploit
Event loop executes second request's context write
Execution
Resumed first component reads second request's context
Impact
Attacker or second user receives cross-user sensitive data in response

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to run Hono versions 4.11.8 through before 4.12.27 with server-side rendering enabled via hono/jsx, and to use at least one async JSX component (containing an await expression) that reads from context via createContext, useContext, jsxRenderer, or useRequestContext. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.5 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N is consistent with the described vulnerability class. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker or non-malicious user sends a high volume of concurrent authenticated requests to a Hono SSR application. Under sufficient concurrency, a request handler resumes after an await in an async JSX component and reads context data that was written by a concurrently executing request belonging to a different user, causing a response to be rendered with another user's session or profile data. …
Remediation Upgrade Hono to version 4.12.27 or later, which resolves the per-request context isolation issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2025-71381 MEDIUM
6.9 Jun 30

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-29085 MEDIUM
6.5 Mar 04

Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within t

Share

EUVD-2026-42326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy