← Back
2026-06-22 17:15CVE-2026-54290GitHub_M
PUBLISHED5.2CWE-942

Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25.

Problem type

Affected products

honojs

hono

< 4.12.25 - AFFECTED

References

https://github.com/honojs/hono/security/advisories/GHSA-88fw-hqm2-52qc

https://github.com/honojs/hono/security/advisories/GHSA-88fw-hqm2-52qc

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-88fw-hqm2-52qc

hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

https://github.com/advisories/GHSA-88fw-hqm2-52qc

Summary

With credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins.

Details

The spec forbids Access-Control-Allow-Origin: * with credentials and browsers reject it, so this configuration used to fail closed. In affected versions the middleware reflects the request Origin instead, so it now succeeds for every origin, including null. The preflight also echoes the requested headers back, approving non-simple credentialed requests too.

This issue arises when an application enables credentials: true and leaves origin unset or set to the wildcard.

Impact

Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests. This affects applications that enable credentialed CORS without restricting origin.

github.com

https://github.com/honojs/hono/security/advisories/GHSA-88fw-hqm2-52qc

github.com

https://github.com/advisories/GHSA-88fw-hqm2-52qc

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-54290
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-54290",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T17:26:12.791Z",
    "dateReserved": "2026-06-12T17:46:37.293Z",
    "datePublished": "2026-06-22T17:15:35.689Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T17:15:35.689Z"
      },
      "title": "Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard",
      "descriptions": [
        {
          "lang": "en",
          "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25."
        }
      ],
      "affected": [
        {
          "vendor": "honojs",
          "product": "hono",
          "versions": [
            {
              "version": "< 4.12.25",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
              "cweId": "CWE-942",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/honojs/hono/security/advisories/GHSA-88fw-hqm2-52qc",
          "name": "https://github.com/honojs/hono/security/advisories/GHSA-88fw-hqm2-52qc",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "REQUIRED",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH"
          }
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-06-22T17:26:12.791Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}