The vulnerability CVE-2026-29087 affects the honojs node-server, a Node.js framework component used to run Hono applications. Prior to version 1.19.10, the server's static file serving mechanism and route-based middleware protections handle URL decoding inconsistently. Middleware protections, such as those restricting access to paths like /admin/*, rely on decoded URLs to enforce authorization. However, when URLs contain encoded slashes (%2F), the routing and middleware layers decode these differently than the static file path resolution layer. This discrepancy allows an attacker to craft URLs with encoded slashes that bypass middleware checks, resulting in unauthorized access to static files that should be protected. The vulnerability is classified under CWE-863 (Incorrect Authorization). It is remotely exploitable without authentication or user interaction, making it a significant risk. The flaw affects all versions of @hono/node-server before 1.19.10 and has been patched in that release. No known exploits are currently reported in the wild, but the ease of exploitation and impact on confidentiality justify a high severity rating with a CVSS score of 7.5.

This vulnerability can lead to unauthorized disclosure of sensitive static files that are intended to be protected by route-based middleware. Organizations using affected versions of honojs node-server may inadvertently expose confidential information such as configuration files, administrative interfaces, or private assets. This exposure can facilitate further attacks, including reconnaissance and privilege escalation. Since the exploit requires no authentication or user interaction and can be performed remotely, the risk is elevated for publicly accessible web applications. The integrity and availability of the system are not directly impacted, but the confidentiality breach can have severe consequences, including data leakage, compliance violations, and reputational damage. The vulnerability is particularly critical for organizations hosting sensitive or regulated data on Hono-based Node.js applications.

The primary mitigation is to upgrade all instances of @hono/node-server to version 1.19.10 or later, where the issue has been patched. Until the upgrade can be performed, organizations should implement strict input validation and URL normalization to prevent encoded slashes (%2F) from bypassing middleware protections. Additionally, configuring web application firewalls (WAFs) to detect and block suspicious encoded URL patterns can reduce exposure. Developers should audit their route-based middleware protections to ensure consistent URL decoding and authorization enforcement. Logging and monitoring access to static files, especially those under protected routes, can help detect exploitation attempts. Finally, security teams should review static file permissions and consider segregating sensitive static content to minimize risk.