CVE-2026-39406
Received Received - Intake
Path Traversal Middleware Bypass in @hono/node-server Prior to

Publication date: 2026-04-08

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39406
EUVD
EUVD-2026-20491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono node-server to 1.19.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39406 is a moderate severity vulnerability in the @hono/node-server package before version 1.19.13. It involves an inconsistency in how repeated slashes (//) in request paths are handled between the routing middleware and the serveStatic middleware.

Specifically, route-based middleware (such as routes matching /admin/*) does not recognize paths containing repeated slashes and therefore fails to apply authorization checks. Meanwhile, serveStatic normalizes these paths and serves the requested static files.

This mismatch allows an attacker to bypass middleware protections by crafting requests with repeated slashes (for example, GET //admin/secret.txt), gaining unauthorized access to protected static files.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the @hono/node-server package to version 1.19.13 or later, where the issue with path normalization and middleware bypass has been fixed.

Until the upgrade can be applied, consider implementing additional validation or normalization of request paths to prevent repeated slashes from bypassing route-based middleware.

Also, review and test your route-based middleware to ensure it correctly handles and normalizes paths with repeated slashes.

Impact Analysis

This vulnerability can allow an attacker to bypass route-based authorization middleware and access protected static files without proper permission.

Since no privileges or user interaction are required, an attacker can remotely exploit this issue by sending specially crafted requests with repeated slashes in the URL path.

The impact is limited to unauthorized read access to protected files, which could lead to exposure of sensitive information.

Detection Guidance

This vulnerability can be detected by testing if requests with repeated slashes (//) in the path bypass route-based middleware protections and access protected static files.

For example, you can attempt to access a protected resource by sending HTTP requests with repeated slashes in the URL path, such as:

  • curl -i http://yourserver//admin/secret.txt
  • curl -i http://yourserver//protected/path/file

If these requests return the protected files without proper authorization, it indicates the presence of the vulnerability.

Compliance Impact

This vulnerability allows unauthorized access to protected static files by bypassing route-based middleware authorization due to inconsistent path handling. Such unauthorized access to protected files could lead to exposure of sensitive or confidential information.

As a result, organizations using affected versions of @hono/node-server might face challenges in maintaining compliance with data protection regulations and standards like GDPR or HIPAA, which require strict access controls to protect personal or sensitive data.

The vulnerability's confidentiality impact is rated as low, indicating unauthorized read access, which could still be significant depending on the nature of the protected files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart