CVE-2026-54286
Deferred Deferred - Pending Action
Path Traversal in Hono Web Framework

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54286
EUVD
EUVD-2026-38327
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
honojs hono to 4.12.25 (exc)
honojs serve-static to 4.12.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54286 is a path traversal vulnerability in the serve-static module of the Hono web framework that affects Windows hosts. When a request path contains an encoded backslash (%5C), it is decoded to a literal backslash (\), which Windows treats as a path separator. This allows an attacker to bypass middleware-based access controls by crafting URLs like /admin%5Csecret.txt. The serve-static module interprets this as a single path segment and resolves it into nested files under the root directory, exposing static files that should be protected.

The vulnerability does not allow escaping the configured root directory but enables unauthorized access to files within protected subdirectories. It requires no authentication and is exploitable over the network.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of static files that are meant to be protected behind middleware access controls. An attacker can read sensitive files within protected directories by exploiting the path traversal issue, potentially exposing confidential information.

Since the attack requires no authentication and can be performed remotely, it increases the risk of data exposure without user interaction.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for encoded backslash sequences (%5C) in the URL paths, especially those targeting sensitive directories such as /admin%5Csecret.txt.

You can use network traffic inspection tools or web server logs to search for such suspicious requests.

For example, on a Linux system with access to web server logs, you might run a command like:

  • grep "%5C" /path/to/access.log

Or use tools like tcpdump or Wireshark to capture and filter HTTP requests containing %5C in the URL.

Mitigation Strategies

The immediate mitigation step is to upgrade the Hono framework to version 4.12.25 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider implementing additional request filtering or firewall rules to block requests containing encoded backslashes (%5C) in the URL path.

Also, review your middleware and static file serving configuration to ensure that path traversal attempts are properly blocked.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart