CVE-2026-24472 – Hono web framework versions before 4.11.7 have ... (How to Fix)

Q: What is the severity of CVE-2026-24472?

CVE-2026-24472 has a CVSS score of 5.3 (MEDIUM). Hono web framework versions before 4.11.7 have a cache middleware vulnerability that improperly handles HTTP cache control directives. This allows private or authenticated responses to be cached and potentially exposed to unauthorized users. Any application using Hono's cache middleware with sensitive data is affected.

📋 TL;DR

Hono web framework versions before 4.11.7 have a cache middleware vulnerability that improperly handles HTTP cache control directives. This allows private or authenticated responses to be cached and potentially exposed to unauthorized users. Any application using Hono's cache middleware with sensitive data is affected.

💻 Affected Systems

Products:

Hono web framework

Versions: All versions before 4.11.7

Operating Systems: Any OS running Node.js or other JavaScript runtimes

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Hono's cache middleware with sensitive responses.

📦 What is this software?

Hono by Hono

View all CVEs affecting Hono →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive authenticated user data (session tokens, personal information, private API responses) could be cached and exposed to other users accessing the same cache.

🟠

Likely Case

Some private user data may be cached and accessible to other users, potentially exposing limited personal information or session details.

🟢

If Mitigated

With proper cache controls at the infrastructure level or disabled cache middleware, impact is minimal.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to shared cache storage and knowledge of cache keys.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.11.7

Vendor Advisory: https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4

Restart Required: Yes

Instructions:

1. Update Hono package to version 4.11.7 or later. 2. Run 'npm update hono' or 'yarn upgrade hono'. 3. Restart your application server.

🔧 Temporary Workarounds

Disable Cache Middleware

all

Temporarily disable Hono's cache middleware until patching is possible.

Remove or comment out cache middleware usage in your Hono application

Add Cache-Control Headers at Proxy Level

all

Configure reverse proxies or CDNs to override cache behavior.

🧯 If You Can't Patch

Implement application-level cache control validation before responses are cached.
Use separate cache instances per user or session to prevent cross-user data exposure.

🔍 How to Verify

Check if Vulnerable:

Check package.json for Hono version below 4.11.7 and verify cache middleware is used.

Check Version:

npm list hono | grep hono

Verify Fix Applied:

Confirm Hono version is 4.11.7 or higher and test that Cache-Control: private/no-store headers are respected.

📡 Detection & Monitoring

Log Indicators:

Multiple users accessing same cached resource IDs
Unexpected cache hits for authenticated endpoints

Network Indicators:

Cache-Control headers being ignored in responses
Identical responses to different authenticated users

SIEM Query:

Search for cache middleware usage patterns with sensitive endpoints

📊 Metadata

CVE ID: CVE-2026-24472

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-524

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: January 27, 2026

Last Updated: February 4, 2026

🔗 References

https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1 Patch
https://github.com/honojs/hono/releases/tag/v4.11.7 Release Notes
https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24472, you might also want to check these: