Hono Cache Middleware Flaw Enables Cross-User Data Leakage in CVE-2026-44457

A security vulnerability in Hono's cache middleware has been disclosed and patched, with the flaw enabling cross-user cache leakage when authentication headers are involved. Tracked as CVE-2026-44457 and GHSA-p77w-8qqv-26rm, the issue affects Hono versions prior to 4.12.18 and centers on the middleware's failure to honor `Vary: Authorization` and `Vary: Cookie` response headers—HTTP mechanisms designed to ensure user-specific content is not shared across sessions.

The technical root lies in how Hono's cache middleware processes responses that declare per-user variance. When a backend sets `Vary: Authorization` or `Vary: Cookie`, it instructs caches that the response content depends on the user's authentication state or session identifier. By ignoring these directives, the middleware could cache an authenticated user's response and serve it to subsequent users requesting the same endpoint—potentially exposing personalized data, session-bound content, or access-controlled information to unauthorized parties. The update from version 4.12.16 to 4.12.18 addresses this behavior.

For developers and organizations running Hono with cache middleware in front of authenticated routes, the vulnerability raises immediate data exposure concerns. Applications serving user-specific API responses, personalized dashboards, or any content gated by authentication could have been affected. The practical risk depends on deployment architecture and which routes were cached. Projects should update to 4.12.18 and review whether sensitive user data may have been inadvertently exposed through cached responses during the vulnerable period.