CVE-2026-29087
Received Received - Intake
Authorization Bypass via URL Decoding in @hono/node-server Static Files

Publication date: 2026-03-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29087
EUVD
EUVD-2026-10047
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono node-server to 1.19.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade the @hono/node-server package to version 1.19.10 or later, where this vulnerability has been patched.

The patch includes safer URI decoding, path traversal protections, and fixes to ensure that route-based middleware protections cannot be bypassed by encoded slashes in URLs.

Until the upgrade is applied, consider implementing additional access control checks directly in the static file serving layer or avoid relying solely on route-based middleware for protecting static resources.

Executive Summary

CVE-2026-29087 is an authorization bypass vulnerability in the @hono/node-server package prior to version 1.19.10. It occurs when static file serving is used together with route-based middleware protections, such as protecting paths like /admin/*. The issue arises because the routing layer and the static file handler decode URLs inconsistently. Specifically, encoded slashes (%2F) are treated differently: the router treats them as literal strings and does not match the protected route, while the static file handler decodes %2F into a slash (/) and serves the file. This discrepancy allows an attacker to access protected static resources without triggering the authorization middleware.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of protected static files. If your application relies solely on route-based middleware for access control under the same static root, attackers can bypass these protections by crafting requests with encoded slashes (%2F). This allows them to access sensitive files that should be restricted, without needing any privileges or user interaction. The vulnerability can be exploited remotely over the network.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing if requests with encoded slashes (%2F) in URLs bypass route-based middleware protections and access protected static files without authorization.

For example, you can attempt to access a protected resource normally and then with an encoded slash in the path to see if the authorization middleware is bypassed.

  • Send a request to a protected path like /admin/secret.txt with proper authorization headers and verify access is granted.
  • Send a request to the same resource but with an encoded slash in the path, e.g., /admin%2Fsecret.txt, and check if the file is served without authorization.

If the second request returns the protected file without requiring authorization, the system is vulnerable.

No specific commands are provided in the resources, but using tools like curl or HTTP clients to craft such requests can help detect the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart