CVE-2026-33490

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w
https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 18:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33490

Mitre link : CVE-2026-33490

CVE.ORG link : CVE-2026-33490

JSON object : View

Products Affected

No product.

CWE

CWE-706

Use of Incorrectly-Resolved Name or Reference

{"id": "CVE-2026-33490", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2026-03-26T18:16:30.237", "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-706"}]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. En las versiones 2.0.0-0 hasta la 2.0.1-rc.16, el m\u00e9todo 'mount()' en h3 usa una simple verificaci\u00f3n 'startsWith()' para determinar si las solicitudes entrantes caen bajo el prefijo de ruta de una subaplicaci\u00f3n montada. Debido a que esta verificaci\u00f3n no verifica un l\u00edmite de segmento de ruta (es decir, que el siguiente car\u00e1cter despu\u00e9s de la base es '/' o el final de la cadena), el middleware registrado en un montaje como '/admin' tambi\u00e9n se ejecutar\u00e1 para rutas no relacionadas como '/admin-public', '/administrator' o '/adminstuff'. Esto permite a un atacante activar middleware de configuraci\u00f3n de contexto en rutas que nunca se pretendi\u00f3 cubrir, potencialmente contaminando el contexto de la solicitud con indicadores de privilegio no deseados. La versi\u00f3n 2.0.2-rc.17 contiene un parche."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}