CVE-2026-33490

{"id": "CVE-2026-33490", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T18:16:30.237", "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-706"}]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. En las versiones 2.0.0-0 hasta la 2.0.1-rc.16, el m\u00e9todo 'mount()' en h3 usa una simple verificaci\u00f3n 'startsWith()' para determinar si las solicitudes entrantes caen bajo el prefijo de ruta de una subaplicaci\u00f3n montada. Debido a que esta verificaci\u00f3n no verifica un l\u00edmite de segmento de ruta (es decir, que el siguiente car\u00e1cter despu\u00e9s de la base es '/' o el final de la cadena), el middleware registrado en un montaje como '/admin' tambi\u00e9n se ejecutar\u00e1 para rutas no relacionadas como '/admin-public', '/administrator' o '/adminstuff'. Esto permite a un atacante activar middleware de configuraci\u00f3n de contexto en rutas que nunca se pretendi\u00f3 cubrir, potencialmente contaminando el contexto de la solicitud con indicadores de privilegio no deseados. La versi\u00f3n 2.0.2-rc.17 contiene un parche."}], "lastModified": "2026-03-31T21:00:13.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5AE7D8A6-4506-418A-ABA4-C820A1DA7E7F"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "281715D9-6C86-4D4E-9833-C18A8CABD05A"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}