CVE-2026-24473

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.

INFO

Published Date :

2026-01-27T19:37:52.012Z

Last Modified :

2026-01-27T20:51:59.157Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-24473 vulnerability.

Vendors	Products
Hono	Hono

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24473.

URL	Resource
https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817
https://github.com/honojs/hono/releases/tag/v4.11.7
https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact