CVE-2026-33490 — LOW (3.7) — White Hats Nepal

Vulnerability Description

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
H3	H3	2.0.1

Related Weaknesses (CWE)

CWE-706

References

https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6wExploitMitigationVendor Advisory
https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6wExploitMitigationVendor Advisory

FAQ

What is CVE-2026-33490?

CVE-2026-33490 is a vulnerability with a CVSS score of 3.7 (LOW). H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub...

How severe is CVE-2026-33490?

CVE-2026-33490 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33490?

Check the references section above for vendor advisories and patch information. Affected products include: H3 H3.