CVE-2026-56764 PUBLISHED

Hono - Timing Attack in basicAuth and bearerAuth Middleware

Assigner: VulnCheck
Reserved: 22.06.2026 Published: 15.07.2026 Updated: 15.07.2026

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor Hono
Product Hono
Versions Default: unaffected
  • affected from 0 to 4.11.10 (excl.)
  • Version 4.11.10 is unaffected

Credits

  • Exagone313 reporter

References

Problem Types

  • Observable Timing Discrepancy CWE