{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.0.1-alpha.0" }, { "fixed": "2.0.1-rc.17" } ] }, "events": [ { "introduced": "0" }, { "fixed": "388b8f06e060a219d11bbc6be7f70f38d8bbea01" } ], "repo": "https://github.com/h3js/h3", "type": "GIT" } ] } ], "aliases": [ "GHSA-2j6q-whv2-gh6w" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-706" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33490.json" }, "details": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.", "id": "CVE-2026-33490", "modified": "2026-04-01T23:10:05.353841651Z", "published": "2026-03-26T17:19:15.956Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33490.json" }, { "type": "ADVISORY", "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33490" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "type": "CVSS_V3" } ], "summary": "h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes" }