CVE-2026-33490
Received Received - Intake
Path Traversal in H3 mount() Causes Privilege Escalation

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33490
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-33490 affects the `mount()` method in the h3 framework versions 2.0.0-0 through 2.0.1-rc.16. The method uses a simple `startsWith()` check to determine if an incoming request path falls under a mounted sub-application's base path. However, this check does not verify path segment boundaries, meaning it does not confirm that the character following the base path prefix is a path delimiter like `/` or the end of the string.

Because of this, middleware registered on a mount point such as `/admin` will also execute for unrelated routes that share the string prefix, such as `/admin-public`, `/administrator`, or `/adminstuff`. This causes unintended middleware execution on unrelated routes, allowing attackers to trigger privileged context-setting middleware on paths it was never intended to affect.

This leads to context pollution where privileged flags (e.g., `event.context.isAdmin = true`) are incorrectly assigned to requests for unrelated routes, potentially enabling authorization bypass. Additionally, a utility function `withoutBase()` incorrectly strips base path prefixes for any string prefix match, causing malformed paths and possible routing errors.

Impact Analysis

This vulnerability can impact you by allowing attackers to trigger privileged middleware on routes that should not have such privileges. For example, middleware intended only for `/admin` routes can be executed on unrelated routes like `/admin-public` or `/administrator`.

As a result, attackers can cause context pollution by setting privileged flags incorrectly, such as `isAdmin = true`, on requests that should not have them. This can lead to authorization bypass, where protected functionality is accessed without proper permissions.

Furthermore, the incorrect path handling can cause routing errors or other security issues due to malformed paths.

Detection Guidance

This vulnerability can be detected by testing whether middleware registered on a mounted path prefix (e.g., /admin) is incorrectly executed on unrelated routes that share the same string prefix (e.g., /admin-public, /administrator).

One way to detect this is to send HTTP requests to routes that start with the mounted base path but are not intended to trigger the middleware, and observe if privileged context flags (such as isAdmin) are incorrectly set.

For example, you can use curl commands to test this behavior:

  • curl -i http://yourserver/admin-public/info
  • curl -i http://yourserver/administrator

If the middleware for /admin is triggered on these unrelated routes, the response or logs may indicate that privileged flags are set incorrectly.

Mitigation Strategies

The immediate mitigation is to upgrade the h3 framework to version 2.0.2-rc.17 or later, where the vulnerability is patched.

The patch adds a path segment boundary check after the startsWith() call to ensure that middleware only executes on exact base paths or their proper sub-paths, preventing unintended middleware execution on unrelated routes.

If upgrading is not immediately possible, review and modify your middleware mounting strategy to avoid using base paths that are prefixes of other unrelated routes.

Additionally, audit your middleware to ensure it does not set privileged context flags based solely on path prefix matching without proper boundary checks.

Compliance Impact

The vulnerability allows middleware registered on a specific path (e.g., /admin) to execute on unrelated routes that share the same string prefix (e.g., /admin-public), leading to context pollution with privileged flags and potential authorization bypass.

This unintended privilege escalation and context pollution could lead to unauthorized access to protected functionality or sensitive data.

Such unauthorized access risks violating compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive information.

Therefore, the vulnerability may negatively impact compliance by enabling attackers to bypass authorization controls and access data or functionality they should not have, potentially leading to data breaches or unauthorized data processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart