CVE-2026-43981
Path Traversal in Algernon Web Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xyproto | algernon | to 1.17.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the Algernon web server's Lua handler implementation. Specifically, the synchronization lock (sync.RWMutex) protecting the LoadCommonFunctions is released too early, before the Lua functions L.Push() and L.PCall() execute.
Because the Lua state (LState) used by gopher-lua is not safe for concurrent use by multiple goroutines, concurrent requests can interfere with each other when accessing this shared Lua state. This leads to corruption of the Lua virtual machine (VM).
The issue can be detected by the Go race detector under modest concurrency, such as 1000 requests with 100 concurrent connections. This vulnerability is fixed in Algernon version 1.17.6.
How can this vulnerability impact me? :
This vulnerability can cause corruption of the Lua virtual machine state when handling concurrent requests, which can lead to denial of service (DoS) conditions in the Algernon web server.
Because the Lua VM state becomes corrupted, the server may crash or behave unpredictably under concurrent load, impacting availability and reliability of services running on Algernon.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected using the Go race detector tool by running the Algernon server under modest concurrency.
A suggested command to detect the race condition is to use a load testing tool such as ApacheBench (ab) with parameters to generate concurrent requests, for example: ab -n 1000 -c 100.
Running the Go race detector while performing this load test will confirm the presence of the race condition.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Algernon version 1.17.6.
The immediate step to mitigate this vulnerability is to upgrade Algernon to version 1.17.6 or later.
There are no known workarounds for this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.