The vulnerability CVE-2026-27700 affects the hono JavaScript web framework, specifically versions 4.12.0 and 4.12.1 when deployed with the AWS Lambda adapter (hono/aws-lambda) behind an AWS Application Load Balancer (ALB). The core issue lies in the getConnInfo() function, which is responsible for extracting client connection information, including the client IP address, from HTTP headers. AWS ALB appends the actual client IP address at the end of the X-Forwarded-For header, but hono incorrectly selects the first IP address in this header for access control decisions. Since the first IP in the X-Forwarded-For header can be set by an attacker, this allows them to spoof their IP address. Consequently, IP-based access control mechanisms, such as the ipRestriction middleware that relies on the client IP for authorization, can be bypassed. This results in unauthorized access to protected resources or functionality. The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-290 (Authentication Bypass). The CVSS v3.1 base score is 8.2, reflecting a high severity due to network exploitability, no required privileges or user interaction, and a significant confidentiality impact. The issue was publicly disclosed on February 25, 2026, and patched in hono version 4.12.2. No known exploits in the wild have been reported as of now.

This vulnerability can have serious consequences for organizations using hono versions 4.12.0 or 4.12.1 behind AWS ALB with the AWS Lambda adapter. Attackers can spoof their IP address to bypass IP-based access controls, potentially gaining unauthorized access to sensitive application endpoints or administrative functions protected by IP restrictions. This undermines the confidentiality of data and may lead to further exploitation or lateral movement within the environment. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale. Organizations relying on IP-based restrictions as a primary security control are particularly at risk. The availability and integrity impacts are limited, but the breach of confidentiality and trust in client IP information can facilitate additional attacks or data leakage. The widespread use of AWS ALB and the growing adoption of serverless architectures with hono increase the scope of affected systems globally.

Organizations should immediately upgrade hono to version 4.12.2 or later, where the getConnInfo() function correctly parses the X-Forwarded-For header by selecting the last IP address appended by the AWS ALB. Until upgrading, consider implementing additional validation on the client IP address, such as verifying the source IP against trusted proxy IP ranges or using AWS ALB's X-Amzn-Trace-Id or other headers that cannot be spoofed by clients. Avoid relying solely on the first IP in the X-Forwarded-For header for access control decisions. Review and strengthen IP-based access control policies, and consider multi-factor or token-based authentication mechanisms to reduce reliance on IP filtering. Monitor application logs for suspicious IP addresses or access patterns that may indicate exploitation attempts. Employ Web Application Firewalls (WAF) with rules to detect and block malformed or suspicious X-Forwarded-For headers. Finally, conduct security testing to verify that IP spoofing is no longer possible after patching.