Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 21, 2026
CVE-2026-39406
CVE-2026-39406
Description
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@hono/node-servernpm | < 1.19.13 | 1.19.13 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/gemini-clipkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:npm/%40hono/node-server
< 0.37.0-r0+ 17 more
- (no CPE)range: < 0.37.0-r0
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 3.164.0-r3
- (no CPE)range: < 3.164.0-r3
- (no CPE)range: < 0.8.4-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 2.19.5-r7
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 1.19.13
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-92pp-h63x-v22mghsaADVISORY
- github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22mnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39406ghsaADVISORY
- github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2ghsaWEB
- github.com/honojs/node-server/releases/tag/v1.19.13ghsaWEB
News mentions
0No linked articles in our index yet.