Is this vulnerability remotely exploitable over the network?

Yes. Any remote client able to send HTTP(S) requests to the Node.js application using @hono/node-server can attempt to exploit the path encoding discrepancy, assuming protected static resources exist.

Does exploitation require authentication or local access?

Not inherently. If protected static resources are guarded only by route-based middleware, an unauthenticated attacker may be able to bypass those protections using crafted encoded paths. Whether authentication is needed depends on how the application configures middleware and what other controls are in place.

What is the safest general fix pattern for developers?

Ensure that the path used for authorization checks and the path used for static file resolution are the same canonical, fully decoded form. In practice, this means normalizing the URL once, applying authorization based on that normalized path, and ensuring the static file handler uses the identical normalized path—or adding explicit authorization checks to the static file serving layer for sensitive directories.

Severity:

HIGH RISK

(7.5)

Authorization Bypass via Inconsistent URL Decoding (CWE-863) in @hono/node-server Static File Handling

CVE-2026-29087

Published:

Mar 6, 2026

Status:

Received

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-78

CRITICAL RISK

CRITICAL

(9.9)

Command Injection in MCP Stdio Configuration Validation (CWE-78) in WeKnora

Remote Code Execution

March 7, 2026

CWE-89

CRITICAL RISK

CRITICAL

(9.9)

SQL Injection via PostgreSQL Array/Row Expressions (CWE-89) in WeKnora Query Engine

Remote Code Execution via SQL Injection on the Database Server

March 7, 2026

Vulnerability Type

Category:

Authorization Bypass

CWE:

CWE-863

Impact:

Unauthorized Access to Protected Static Resources

Severity:

HIGH RISK

(7.5)

CVSS Version:

3.1

Vulnerability Type

Category:

Authorization Bypass

CWE:

CWE-863

Impact:

Unauthorized Access to Protected Static Resources

Severity:

HIGH RISK

(7.5)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Authorization Bypass via Inconsistent URL Decoding (CWE-863) in @hono/node-server Static File Handling

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.9)

Command Injection in MCP Stdio Configuration Validation (CWE-78) in WeKnora

CRITICAL RISK

CRITICAL

(9.9)

SQL Injection via PostgreSQL Array/Row Expressions (CWE-89) in WeKnora Query Engine

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare