Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 21, 2026
CVE-2026-39409
CVE-2026-39409
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.12.12 | 4.12.12 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/gemini-clipkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:npm/hono
< 0.37.0-r0+ 21 more
- (no CPE)range: < 0.37.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.2.7-r3
- (no CPE)range: < 9.2.7-r3
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 3.164.0-r3
- (no CPE)range: < 0.8.4-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 2.19.5-r7
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 4.12.12
Patches
Vulnerability mechanics
References
5- github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39nvdPatchWEB
- github.com/advisories/GHSA-xpcf-pg52-r92gghsaADVISORY
- github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92gnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39409ghsaADVISORY
- github.com/honojs/hono/releases/tag/v4.12.12nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.