CVE-2026-44457 Overview
CVE-2026-44457 affects Hono, a web application framework for JavaScript runtimes including Node.js, Bun, Deno, and Cloudflare Workers. The vulnerability resides in the Cache Middleware, which fails to honor per-user Vary directives such as Vary: Authorization and Vary: Cookie. As a result, a cached response generated for one authenticated user can be returned to other users who issue subsequent requests. Versions prior to 4.12.18 are affected, and the issue is resolved in 4.12.18. The weakness is classified under [CWE-524: Use of Cache Containing Sensitive Information].
Critical Impact
Authenticated user responses cached by Hono Cache Middleware may be served to unrelated users, exposing private data across session boundaries.
Affected Products
- Hono framework versions prior to 4.12.18
- Applications running on Node.js using Hono Cache Middleware
- Hono deployments on any JavaScript runtime that enables the Cache Middleware
Discovery Timeline
- 2026-05-13 - CVE-2026-44457 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44457
Vulnerability Analysis
The defect is an information disclosure issue in Hono's Cache Middleware. HTTP responses can include a Vary header that instructs caches to key entries on specific request headers. When a response carries Vary: Authorization or Vary: Cookie, downstream caches must treat each user's response as distinct. Hono's Cache Middleware ignored these directives and stored responses without partitioning them per credential. Subsequent requests for the same URL retrieved the cached entry regardless of the requesting user's identity. Sensitive data such as account details, session-bound content, and user-specific API responses could therefore leak across users.
Root Cause
The Cache Middleware logic did not inspect the Vary header on outgoing responses before storing them. The cache key was derived from request attributes that did not include the values referenced by Vary. This omission collapsed per-user response variants into a single shared cache entry, violating HTTP caching semantics defined in RFC 7234.
Attack Vector
Exploitation requires no authentication or user interaction against the vulnerable endpoint. An unauthenticated client issuing a request to a route protected by Cache Middleware can receive a previously cached response generated for an authenticated user. The vulnerability is exposed over the network and does not require special privileges, but exploitation is opportunistic and depends on cache population timing. No public proof-of-concept or exploit code has been released. See the Hono GitHub Security Advisory GHSA-p77w-8qqv-26rm for vendor details.
Detection Methods for CVE-2026-44457
Indicators of Compromise
- Application responses containing another user's data returned to unrelated sessions or anonymous clients
- Cache hits logged for routes that set Vary: Authorization or Vary: Cookie headers
- User reports of seeing account information, dashboards, or API payloads that do not belong to them
Detection Strategies
- Inventory Hono deployments and identify versions below 4.12.18 using package manifests such as package.json and package-lock.json
- Review application code for usage of the cache middleware from hono/cache on routes that handle authenticated content
- Inspect HTTP responses in staging for Vary headers paired with Cache-Control directives to flag risky route configurations
Monitoring Recommendations
- Log cache key, request Authorization header presence, and response Vary header for every cached route
- Alert when the same cache entry is served to requests with differing Authorization or Cookie values
- Track upstream CDN and reverse proxy logs for anomalous cache hit ratios on user-specific endpoints
How to Mitigate CVE-2026-44457
Immediate Actions Required
- Upgrade Hono to version 4.12.18 or later across all runtimes
- Audit routes using Cache Middleware to confirm none serve per-user data without the patched version in place
- Invalidate or purge existing cache entries that may have been populated by the vulnerable middleware
Patch Information
The maintainers fixed the issue in Hono 4.12.18. The patched Cache Middleware honors Vary: Authorization and Vary: Cookie by skipping caching for responses that declare per-user variance. Refer to the Hono GitHub Security Advisory GHSA-p77w-8qqv-26rm for the full advisory.
Workarounds
- Remove the Cache Middleware from routes that return authenticated or per-user content until the upgrade is deployed
- Set Cache-Control: private, no-store on responses that contain user-specific data to prevent storage by intermediate caches
- Restrict cached routes to fully public, non-authenticated content paths
# Upgrade Hono to the patched release
npm install hono@^4.12.18
# or
pnpm add hono@^4.12.18
# or
yarn add hono@^4.12.18
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
