CVE-2026-24473

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.11.7

Description The Serve static Middleware for the Cloudflare Workers adapter in Hono does not properly validate user-controlled paths, potentially allowing attackers to read arbitrary keys from the Workers environment. This improper validation can result in unintended access to internal asset keys. The issue affects applications running on Cloudflare Workers that utilize Serve static Middleware with user-controllable request paths and may lead to information disclosure. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.

Recommendations Update to Hono version 4.11.7 or later.