CVE-2026-29087 HIGH

CVE-2026-29087: @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Vendor Honojs
Product node-server
Weakness CWE-863 · Incorrect authorization
Published March 6, 2026
Last update March 6, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 6, 2026 Record updated