{"api_version":"1","generated_at":"2026-04-24T04:14:43+00:00","cve":"CVE-2026-33490","urls":{"html":"https://cve.report/CVE-2026-33490","api":"https://cve.report/api/cve/CVE-2026-33490.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33490","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33490"},"summary":{"title":"h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes","description":"H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-26 18:16:30","updated_at":"2026-03-31 21:00:13"},"problem_types":["CWE-706","CWE-706 CWE-706: Use of Incorrectly-Resolved Name or Reference"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"3.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"3.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w","name":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33490","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33490","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"h3js","product":"h3","version":"affected >= 2.0.1-alpha.0, < 2.0.1-rc.17","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc11","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc12","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc13","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc14","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc15","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc16","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc8","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33490","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h3","cpe5":"h3","cpe6":"2.0.1","cpe7":"rc9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"33490","cve":"CVE-2026-33490","epss":"0.000440000","percentile":"0.136040000","score_date":"2026-04-05","updated_at":"2026-04-06 00:05:32"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-33490","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-26T17:46:14.997707Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-26T18:23:39.653Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"h3","vendor":"h3js","versions":[{"status":"affected","version":">= 2.0.1-alpha.0, < 2.0.1-rc.17"}]}],"descriptions":[{"lang":"en","value":"H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-706","description":"CWE-706: Use of Incorrectly-Resolved Name or Reference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-26T17:19:15.956Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w","tags":["x_refsource_CONFIRM"],"url":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"}],"source":{"advisory":"GHSA-2j6q-whv2-gh6w","discovery":"UNKNOWN"},"title":"h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-33490","datePublished":"2026-03-26T17:19:15.956Z","dateReserved":"2026-03-20T16:16:48.971Z","dateUpdated":"2026-03-26T18:23:39.653Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-26 18:16:30","lastModifiedDate":"2026-03-31 21:00:13","problem_types":["CWE-706","CWE-706 CWE-706: Use of Incorrectly-Resolved Name or Reference"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*","matchCriteriaId":"910077BC-C84C-4CAB-A0A5-761047F6F43C"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*","matchCriteriaId":"603A08FC-B20B-4693-90A1-0BF5F08B43AC"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*","matchCriteriaId":"BCC5ECF0-0EED-48BC-95FA-1D2671A971A9"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*","matchCriteriaId":"BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*","matchCriteriaId":"3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*","matchCriteriaId":"3D1C9D7B-3CE4-427B-93B4-EAF867159AFB"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*","matchCriteriaId":"5AE7D8A6-4506-418A-ABA4-C820A1DA7E7F"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*","matchCriteriaId":"281715D9-6C86-4D4E-9833-C18A8CABD05A"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*","matchCriteriaId":"C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*","matchCriteriaId":"064C21F5-8633-45F3-9A3D-3FB029A867B9"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*","matchCriteriaId":"DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*","matchCriteriaId":"496314A3-8F2B-4274-9D0D-7F11E896FEA5"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*","matchCriteriaId":"35F49342-D52C-4762-9369-F380C5E7E0B5"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*","matchCriteriaId":"D11CA1A7-3141-46EA-9687-32C333FC7B0C"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*","matchCriteriaId":"A4A6FD03-5DE5-4D73-9FF3-BB653302C60B"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*","matchCriteriaId":"5E404148-6862-44F5-961D-10E8A742A4B6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33490","Ordinal":"1","Title":"h3: Missing Path Segment Boundary Check in `mount()` Causes Midd","CVE":"CVE-2026-33490","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33490","Ordinal":"1","NoteData":"H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.","Type":"Description","Title":"h3: Missing Path Segment Boundary Check in `mount()` Causes Midd"}]}}}