Executive Summary

The CVE-2026-54290 vulnerability affects the Hono web framework's CORS middleware in versions prior to 4.12.25. When the middleware is configured with credentials enabled (`credentials: true`) but without an explicit origin (which defaults to a wildcard), it reflects the Origin header from incoming requests and sends back Access-Control-Allow-Credentials: true.

This behavior allows any website to make credentialed cross-origin requests and read the responses, which exposes cookie-authenticated endpoints to arbitrary origins. Essentially, the middleware incorrectly permits credentialed requests from any origin instead of restricting them, violating the intended security model.

The vulnerability arises because the middleware reflects the Origin header instead of failing closed as the specification requires, enabling non-simple credentialed requests from untrusted domains.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any website to make credentialed cross-origin requests and read responses, exposing cookie-authenticated endpoints to arbitrary origins. This exposure can lead to unauthorized access to sensitive user data.

Such unauthorized data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to ensure confidentiality and prevent data breaches.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact on the confidentiality of your web application data. Because any site can make credentialed cross-origin requests and read the responses, attackers can exploit this to access sensitive information protected by cookies or other credentials.

Specifically, cookie-authenticated endpoints become exposed to arbitrary origins, which can lead to unauthorized data disclosure. The CVSS score of 7.1 indicates a high severity, mainly due to the high impact on confidentiality.

While the integrity impact is low, the exposure of sensitive data can lead to privacy violations, session hijacking, or other security breaches.

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability, you can check if your Hono web application is running a version prior to 4.12.25 and if the CORS middleware is configured with credentials enabled (`credentials: true`) and no explicit origin set (defaulting to wildcard).

You can test the CORS behavior by sending cross-origin requests with credentials and inspecting the response headers to see if the Access-Control-Allow-Origin header reflects the Origin of the request and if Access-Control-Allow-Credentials is set to true.

• Use curl to send a cross-origin request with credentials and check response headers, for example:
• curl -H "Origin: https://malicious.example.com" -b cookiefile -c cookiefile -v https://your-hono-app.example.com/endpoint
• Inspect the response headers for Access-Control-Allow-Origin reflecting the Origin header and Access-Control-Allow-Credentials: true.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Hono framework to version 4.12.25 or later, where this vulnerability is fixed.

Additionally, review your CORS middleware configuration to ensure that when credentials are enabled, the origin is explicitly set to trusted domains rather than using the default wildcard.

Avoid reflecting the Origin header dynamically without validation to prevent credentialed cross-origin requests from arbitrary origins.

Useful 0 Not Useful 0