Compliance Impact

This vulnerability allows unauthenticated remote code execution with full privileges of the Algernon process, enabling attackers to read sensitive data, modify files, and disrupt services.

Such unauthorized access and potential data breaches can lead to violations of common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information.

The high confidentiality, integrity, and availability risks posed by this vulnerability could result in non-compliance due to exposure or alteration of protected data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45721 is a critical vulnerability in Algernon, a pure-Go web server, affecting versions 1.17.6 and earlier. When Algernon receives a request for a URL path that resolves to a directory without an index file, it searches upward through parent directories beyond the configured server root looking for a file named handler.lua to execute as the request handler.

This upward search continues until 100 ancestor steps or the filesystem root is reached, allowing the server to load and execute the first handler.lua it finds with full Algernon API privileges. This includes powerful functions like run3(), httpclient, os.execute, io.popen, and raw filesystem access.

An attacker who can write a handler.lua file anywhere in a parent directory of the server root can achieve pre-authenticated remote code execution (RCE) on the next HTTP request to a directory without an index file. This happens before any permission checks, making the attack possible without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely on the server running Algernon without authentication, leading to severe security risks.

• Full remote code execution with the same privileges as the Algernon process.
• Access to sensitive data including databases, Redis instances, and userstate databases.
• Ability to modify or delete files, potentially disrupting service availability.
• Execution of shell commands via unsandboxed Lua libraries, enabling further system compromise.
• Exploitation scenarios include shared hosting environments, multi-tenant setups, CI runners, container images, and developer workstations where writable parent directories exist.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of handler.lua files in any parent directories above the configured Algernon server root, as the server walks upward looking for this file. Since the vulnerability allows pre-authenticated remote code execution triggered by any HTTP request to a directory without an index file, monitoring HTTP requests that return directory listings or unusual handler.lua executions can help detect exploitation attempts.

Suggested detection steps include:

• Search for handler.lua files in parent directories above the Algernon server root, for example using: find /path/to/server/root/../../ -name handler.lua
• Monitor HTTP requests for directory-style requests without index files that trigger handler.lua execution.
• Check server logs for unexpected Lua script executions or suspicious commands executed via os.execute or io.popen.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Algernon to version 1.17.7 or later, where the directory walk is clamped to the server root, preventing upward traversal beyond the configured root.

Additional immediate steps include:

• Remove or restrict write permissions to parent directories above the server root to prevent placing malicious handler.lua files.
• Audit and remove any existing handler.lua files found in parent directories outside the server root.
• Implement logging and monitoring to detect attempts to exploit this vulnerability.
• Reject or carefully inspect .alg archive files to ensure they do not contain top-level handler.lua files.

Useful 0 Not Useful 0