CVE-2026-56764

Summary

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.

Affected Software

VendorProductVersion RangeStatus
HonoHono0 < 4.11.10affected
HonoHono4.11.10unaffected

Weaknesses

  • CWE-208: Observable Timing Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References