CVE-2026-33490
Path Traversal in H3 mount() Causes Privilege Escalation
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-33490 affects the `mount()` method in the h3 framework versions 2.0.0-0 through 2.0.1-rc.16. The method uses a simple `startsWith()` check to determine if an incoming request path falls under a mounted sub-application's base path. However, this check does not verify path segment boundaries, meaning it does not confirm that the character following the base path prefix is a path delimiter like `/` or the end of the string.
Because of this, middleware registered on a mount point such as `/admin` will also execute for unrelated routes that share the string prefix, such as `/admin-public`, `/administrator`, or `/adminstuff`. This causes unintended middleware execution on unrelated routes, allowing attackers to trigger privileged context-setting middleware on paths it was never intended to affect.
This leads to context pollution where privileged flags (e.g., `event.context.isAdmin = true`) are incorrectly assigned to requests for unrelated routes, potentially enabling authorization bypass. Additionally, a utility function `withoutBase()` incorrectly strips base path prefixes for any string prefix match, causing malformed paths and possible routing errors.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to trigger privileged middleware on routes that should not have such privileges. For example, middleware intended only for `/admin` routes can be executed on unrelated routes like `/admin-public` or `/administrator`.
As a result, attackers can cause context pollution by setting privileged flags incorrectly, such as `isAdmin = true`, on requests that should not have them. This can lead to authorization bypass, where protected functionality is accessed without proper permissions.
Furthermore, the incorrect path handling can cause routing errors or other security issues due to malformed paths.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether middleware registered on a mounted path prefix (e.g., /admin) is incorrectly executed on unrelated routes that share the same string prefix (e.g., /admin-public, /administrator).
One way to detect this is to send HTTP requests to routes that start with the mounted base path but are not intended to trigger the middleware, and observe if privileged context flags (such as isAdmin) are incorrectly set.
For example, you can use curl commands to test this behavior:
- curl -i http://yourserver/admin-public/info
- curl -i http://yourserver/administrator
If the middleware for /admin is triggered on these unrelated routes, the response or logs may indicate that privileged flags are set incorrectly.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade the h3 framework to version 2.0.2-rc.17 or later, where the vulnerability is patched.
The patch adds a path segment boundary check after the startsWith() call to ensure that middleware only executes on exact base paths or their proper sub-paths, preventing unintended middleware execution on unrelated routes.
If upgrading is not immediately possible, review and modify your middleware mounting strategy to avoid using base paths that are prefixes of other unrelated routes.
Additionally, audit your middleware to ensure it does not set privileged context flags based solely on path prefix matching without proper boundary checks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows middleware registered on a specific path (e.g., /admin) to execute on unrelated routes that share the same string prefix (e.g., /admin-public), leading to context pollution with privileged flags and potential authorization bypass.
This unintended privilege escalation and context pollution could lead to unauthorized access to protected functionality or sensitive data.
Such unauthorized access risks violating compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive information.
Therefore, the vulnerability may negatively impact compliance by enabling attackers to bypass authorization controls and access data or functionality they should not have, potentially leading to data breaches or unauthorized data processing.