Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-g33z-exy1-63gh
Vulnerability ID VCID-g33z-exy1-63gh
Aliases CVE-2026-27700
GHSA-xh87-mx6m-69f3
Summary Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-290 Authentication Bypass by Spoofing
CWE-345 Insufficient Verification of Data Authenticity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-27700
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-27700
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-27700
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xh87-mx6m-69f3
cvssv3.1 8.2 https://github.com/honojs/hono
generic_textual HIGH https://github.com/honojs/hono
cvssv3.1 8.2 https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7
generic_textual HIGH https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7
ssvc Track https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7
cvssv3.1 8.2 https://github.com/honojs/hono/releases/tag/v4.12.2
generic_textual HIGH https://github.com/honojs/hono/releases/tag/v4.12.2
ssvc Track https://github.com/honojs/hono/releases/tag/v4.12.2
cvssv3.1 8.2 https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
cvssv3.1_qr HIGH https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
generic_textual HIGH https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
ssvc Track https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
cvssv3.1 8.2 https://nvd.nist.gov/vuln/detail/CVE-2026-27700
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-27700
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-27700
https://github.com/honojs/hono
41adbf56e252c04611f8972364ac0887ae07a4c7 https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7
CVE-2026-27700 https://nvd.nist.gov/vuln/detail/CVE-2026-27700
GHSA-xh87-mx6m-69f3 https://github.com/advisories/GHSA-xh87-mx6m-69f3
GHSA-xh87-mx6m-69f3 https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
v4.12.2 https://github.com/honojs/hono/releases/tag/v4.12.2
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/honojs/hono
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:01:17Z/ Found at https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/honojs/hono/releases/tag/v4.12.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:01:17Z/ Found at https://github.com/honojs/hono/releases/tag/v4.12.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:01:17Z/ Found at https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27700
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.00714
EPSS Score 8e-05
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:50:49.661588+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/27xxx/CVE-2026-27700.json 38.6.0