CVE-2026-45721
Remote Code Execution in Algernon Web Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xyproto | algernon | to 1.17.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution with full privileges of the Algernon process, enabling attackers to read sensitive data, modify files, and disrupt services.
Such unauthorized access and potential data breaches can lead to violations of common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information.
The high confidentiality, integrity, and availability risks posed by this vulnerability could result in non-compliance due to exposure or alteration of protected data.
Can you explain this vulnerability to me?
CVE-2026-45721 is a critical vulnerability in Algernon, a pure-Go web server, affecting versions 1.17.6 and earlier. When Algernon receives a request for a URL path that resolves to a directory without an index file, it searches upward through parent directories beyond the configured server root looking for a file named handler.lua to execute as the request handler.
This upward search continues until 100 ancestor steps or the filesystem root is reached, allowing the server to load and execute the first handler.lua it finds with full Algernon API privileges. This includes powerful functions like run3(), httpclient, os.execute, io.popen, and raw filesystem access.
An attacker who can write a handler.lua file anywhere in a parent directory of the server root can achieve pre-authenticated remote code execution (RCE) on the next HTTP request to a directory without an index file. This happens before any permission checks, making the attack possible without authentication.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code remotely on the server running Algernon without authentication, leading to severe security risks.
- Full remote code execution with the same privileges as the Algernon process.
- Access to sensitive data including databases, Redis instances, and userstate databases.
- Ability to modify or delete files, potentially disrupting service availability.
- Execution of shell commands via unsandboxed Lua libraries, enabling further system compromise.
- Exploitation scenarios include shared hosting environments, multi-tenant setups, CI runners, container images, and developer workstations where writable parent directories exist.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of handler.lua files in any parent directories above the configured Algernon server root, as the server walks upward looking for this file. Since the vulnerability allows pre-authenticated remote code execution triggered by any HTTP request to a directory without an index file, monitoring HTTP requests that return directory listings or unusual handler.lua executions can help detect exploitation attempts.
Suggested detection steps include:
- Search for handler.lua files in parent directories above the Algernon server root, for example using: find /path/to/server/root/../../ -name handler.lua
- Monitor HTTP requests for directory-style requests without index files that trigger handler.lua execution.
- Check server logs for unexpected Lua script executions or suspicious commands executed via os.execute or io.popen.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Algernon to version 1.17.7 or later, where the directory walk is clamped to the server root, preventing upward traversal beyond the configured root.
Additional immediate steps include:
- Remove or restrict write permissions to parent directories above the server root to prevent placing malicious handler.lua files.
- Audit and remove any existing handler.lua files found in parent directories outside the server root.
- Implement logging and monitoring to detect attempts to exploit this vulnerability.
- Reject or carefully inspect .alg archive files to ensure they do not contain top-level handler.lua files.