Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Apache Hono Node Server: Unauthorized Access to Protected Static Files
CVE-2026-29087
GHSA-wc8c-qw6v-h7f6
GHSA-wc8c-qw6v-h7f6
Summary
A bug in Apache Hono Node Server allows attackers to access files that are supposed to be protected by user authentication. This happens when a user uses special characters in the file path. To fix this issue, update to a version of Apache Hono Node Server that has this problem fixed or use a different way to protect your files.
What to do
- Update hono node-server to version 1.19.10.
- Update hono @hono/node-server to version 1.19.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| hono | node-server | <= 1.19.10 | 1.19.10 |
| hono | @hono/node-server | <= 1.19.10 | 1.19.10 |
Original title
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Original description
## Summary
When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting `/admin/*`), inconsistent URL decoding can allow protected static resources to be accessed without authorization.
In particular, paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.
## Details
The routing layer and the node-server static handler normalize request paths differently. The router preserves `%2F` as a literal string when matching routes, while the static handler decodes `%2F` into `/` before resolving the filesystem path.
Example request:
- `/admin%2Fsecret.html`
This may:
- fail to match middleware intended for `/admin/*`, but
- still be resolved by the static handler as `/admin/secret.html` under the configured static root.
This does not allow access outside the configured static root and is not a path traversal vulnerability.
## Impact
An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.
Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.
When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting `/admin/*`), inconsistent URL decoding can allow protected static resources to be accessed without authorization.
In particular, paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.
## Details
The routing layer and the node-server static handler normalize request paths differently. The router preserves `%2F` as a literal string when matching routes, while the static handler decodes `%2F` into `/` before resolving the filesystem path.
Example request:
- `/admin%2Fsecret.html`
This may:
- fail to match middleware intended for `/admin/*`, but
- still be resolved by the static handler as `/admin/secret.html` under the configured static root.
This does not allow access outside the configured static root and is not a path traversal vulnerability.
## Impact
An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.
Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.
nvd CVSS3.1
7.5
Vulnerability type
CWE-863
Incorrect Authorization
- https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d1...
- https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6
- https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
- https://nvd.nist.gov/vuln/detail/CVE-2026-29087
- https://github.com/honojs/node-server Product
Published: 4 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026