CVE-2026-24472

EUVD-2026-4750

27.01.2026, 20:16

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
hono	hono	𝑥 < 4.11.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-524 - Use of Cache Containing Sensitive Information
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

References

https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1

https://github.com/honojs/hono/releases/tag/v4.11.7

https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4