CVE-2026-44457

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18

Description Cache Middleware fails to skip caching for responses that declare per-user variance using the Vary: Authorization or Vary: Cookie headers. While the middleware correctly skips caching for Vary: *, Set-Cookie, and specific Cache-Control directives such as private, no-store, or no-cache, it does not recognize Vary: Authorization and Vary: Cookie as reasons to avoid caching. This occurs when applications use Cache Middleware on endpoints returning user-specific data and rely on these headers to scope responses without also setting Cache-Control: private. Consequently, a response cached for one authenticated user may be served to subsequent requests from different users, potentially leading to the disclosure of personally identifiable information or other user-specific data.

Recommendations Update to version 4.12.18. As a temporary workaround, ensure that endpoints returning user-specific data set the Cache-Control: private header to prevent incorrect caching.