{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33490", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.971Z", "datePublished": "2026-03-26T17:19:15.956Z", "dateUpdated": "2026-03-26T18:23:39.653Z"}, "containers": {"cna": {"title": "h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes", "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.1-alpha.0, < 2.0.1-rc.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:19:15.956Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}], "source": {"advisory": "GHSA-2j6q-whv2-gh6w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:46:14.997707Z", "id": "CVE-2026-33490", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:23:39.653Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33490", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:46:14.997707Z"}}}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:46:23.495Z"}}], "cna": {"title": "h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes", "source": {"advisory": "GHSA-2j6q-whv2-gh6w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.1-alpha.0, < 2.0.1-rc.17"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "name": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:19:15.956Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33490", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:23:39.653Z", "dateReserved": "2026-03-20T16:16:48.971Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:19:15.956Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*", "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*", "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*", "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*", "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*", "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*", "matchCriteriaId": "5AE7D8A6-4506-418A-ABA4-C820A1DA7E7F", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*", "matchCriteriaId": "281715D9-6C86-4D4E-9833-C18A8CABD05A", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*", "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. En las versiones 2.0.0-0 hasta la 2.0.1-rc.16, el m\u00e9todo 'mount()' en h3 usa una simple verificaci\u00f3n 'startsWith()' para determinar si las solicitudes entrantes caen bajo el prefijo de ruta de una subaplicaci\u00f3n montada. Debido a que esta verificaci\u00f3n no verifica un l\u00edmite de segmento de ruta (es decir, que el siguiente car\u00e1cter despu\u00e9s de la base es '/' o el final de la cadena), el middleware registrado en un montaje como '/admin' tambi\u00e9n se ejecutar\u00e1 para rutas no relacionadas como '/admin-public', '/administrator' o '/adminstuff'. Esto permite a un atacante activar middleware de configuraci\u00f3n de contexto en rutas que nunca se pretendi\u00f3 cubrir, potencialmente contaminando el contexto de la solicitud con indicadores de privilegio no deseados. La versi\u00f3n 2.0.2-rc.17 contiene un parche."}], "id": "CVE-2026-33490", "lastModified": "2026-03-31T21:00:13.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T18:16:30.237", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "h3: H3: Information disclosure due to incorrect path prefix validation", "id": "2451798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451798"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in H3, a minimal HTTP framework. The `mount()` method, responsible for routing requests to sub-applications, incorrectly uses a simple string comparison to check path prefixes. This allows a remote attacker to craft a URL that bypasses the intended path segment boundary. Consequently, middleware designed for specific administrative paths could be triggered for unrelated public paths, potentially leading to the exposure of sensitive information or unintended access due to incorrect privilege flags being set in the request context."], "name": "CVE-2026-33490", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/cluster-logging-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/fluentd-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/log-file-metric-exporter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_update_service:5", "fix_state": "Not affected", "package_name": "openshift-update-service/openshift-update-service-rhel8", "product_name": "Red Hat OpenShift Update Service"}], "public_date": "2026-03-26T17:19:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33490\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33490\nhttps://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"], "statement": "A Moderate flaw in the `h3` framework's `mount()` method allows for incorrect path prefix validation. This can lead to middleware intended for specific administrative paths being triggered for unrelated public paths, potentially exposing sensitive information or granting unintended access. Red Hat OpenShift Container Platform components are not affected as the vulnerable code is not present. Fedora versions 42 and 43 are affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.1-alpha.0,2.0.1-rc.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "h3", "source": "cna", "vendor": "h3js"}, "product": "h3", "vendor": "h3js"}], "analysis": {"en": {"generated_at": "2026-04-01T07:51:31.289723+00:00", "value": {"mitigation_remediation": ["Upgrade the h3 package to version 2.0.2\u2011rc.17 or newer, which implements a proper path boundary check.", "Verify that the upgraded environment does not contain legacy mount configurations that reference older releases.", "If an immediate upgrade is not possible, restrict access to administrative route prefixes through a reverse proxy or firewall and monitor logs for unexpected requests to those prefixes as a temporary countermeasure."], "summary": {"action": "Patch", "impact": "Unintended Middleware Execution"}, "threat_synthesis": {"affected_systems": "Node.js applications that import the h3 package and use the mount() feature are affected when the package version is between 2.0.0-0 and 2.0.1-rc.16 inclusive. All release candidates from rc1 through rc16 of the 2.0.1 series are listed as vulnerable. The vulnerability is fixed in version 2.0.2-rc.17 and newer.", "description_and_impact": "The h3 HTTP framework uses a simple startsWith check in its mount() method to decide whether a request falls under a mounted sub\u2011application\u2019s path prefix. This check does not verify that the next character after the base is a slash or the end of the string, so middleware registered on a path such as \"/admin\" will also run for unrelated routes such as \"/admin-public\", \"/administrator\", or \"/adminstuff\". The result is that an attacker can trigger context\u2011setting or other middleware on paths it was never intended to cover, potentially polluting the request context with unintended privilege flags.", "risk_and_exploitability": "The CVSS score of 3.7 indicates moderate severity, while an EPSS less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector involves an attacker sending HTTP requests to the target application and knowing or guessing a mounted path prefix. Based on the description, it is inferred that an attacker could alter request context fields, which may affect authorization decisions. The impact depends on how the application uses the context. Overall risk is moderate."}}}}, "created": "2026-03-27T08:33:31.139165+00:00", "updated": "2026-04-02T07:56:35.321328+00:00", "vendors": ["h3js", "h3js$PRODUCT$h3"]}