Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.
The Cache Middleware skips caching when a response carries Vary: *, certain Cache-Control directives (private, no-store, no-cache), or Set-Cookie. However, Vary: Authorization and Vary: Cookie — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.
This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on Vary: Authorization or Vary: Cookie to scope the response per user, without also setting Cache-Control: private.
A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:
This issue affects applications that use the Cache Middleware on endpoints whose responses vary by Authorization or Cookie and that do not also set Cache-Control: private.
| Score | Percentile |
|---|---|
| 0.03% | 8.44% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-p77w-8qqv-26rm ↗ |
| CVE | CVE-2026-44457 ↗ |
| CWE id | Name |
|---|---|
| CWE-524 | Use of Cache Containing Sensitive Information |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | hono | < 4.12.18 | 4.12.18 | — |