CVE-2026-24472: Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

January 27, 2026 (updated January 29, 2026)

Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as Cache-Control: private or Cache-Control: no-store, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.

References

github.com/advisories/GHSA-6wqw-2p9w-4vw4
github.com/honojs/hono
github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1
github.com/honojs/hono/releases/tag/v4.11.7
github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4
nvd.nist.gov/vuln/detail/CVE-2026-24472

Code Behaviors & Features

Detect and mitigate CVE-2026-24472 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →