CVE-2026-24473 – This vulnerability in Hono's static middleware ... (How to Fix)

📋 TL;DR

This vulnerability in Hono's static middleware for Cloudflare Workers allows attackers to read arbitrary environment keys by manipulating file paths. It affects Hono applications using the Cloudflare Workers adapter with static file serving enabled. The issue stems from improper path validation that exposes internal asset keys.

💻 Affected Systems

Products:

Hono

Versions: All versions prior to 4.11.7

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Hono applications using the Cloudflare Workers adapter with static middleware enabled.

📦 What is this software?

Hono by Hono

View all CVEs affecting Hono →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive environment variables like API keys, database credentials, or other secrets stored in Workers environment, leading to complete system compromise.

🟠

Likely Case

Attackers could read configuration secrets and environment variables, potentially enabling further attacks or data exfiltration.

🟢

If Mitigated

With proper input validation and environment variable isolation, impact would be limited to non-sensitive configuration data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted requests to static file endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.11.7

Vendor Advisory: https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p

Restart Required: Yes

Instructions:

1. Update Hono package to version 4.11.7 or later
2. Run 'npm update hono' or 'yarn upgrade hono'
3. Redeploy your Cloudflare Workers application
4. Verify the update was successful

🔧 Temporary Workarounds

Disable static middleware

all

Temporarily disable static file serving in Hono applications

Remove or comment out static middleware usage in your Hono app

Implement custom path validation

all

Add custom middleware to validate and sanitize file paths before static middleware

🧯 If You Can't Patch

Implement strict input validation for all user-controlled paths
Isolate sensitive environment variables from Workers environment

🔍 How to Verify

Check if Vulnerable:

Check if Hono version is below 4.11.7 and uses Cloudflare Workers adapter with static middleware

Check Version:

npm list hono | grep hono

Verify Fix Applied:

Verify Hono version is 4.11.7 or higher and test path traversal attempts return proper errors

📡 Detection & Monitoring

Log Indicators:

Unusual path patterns in static file requests
Failed attempts to access non-existent static files with unusual extensions

Network Indicators:

HTTP requests with crafted paths containing directory traversal patterns
Requests to static endpoints with unusual parameter patterns

SIEM Query:

source="cloudflare-workers" AND (uri="*..*" OR uri="*%2e%2e*" OR uri="*%2f*" OR uri="*%5c*")

📊 Metadata

CVE ID: CVE-2026-24473

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: January 27, 2026

Last Updated: February 4, 2026

🔗 References

https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817 Patch
https://github.com/honojs/hono/releases/tag/v4.11.7 Release Notes
https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24473, you might also want to check these: