CVE-2026-45728
Deferred Deferred - Pending Action
Information Exposure in Algernon Web Server

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-45728
EUVD
EUVD-2026-31868
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xyproto algernon to 1.17.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-489 The product is released with debugging code still enabled or active.
CWE-540 Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to serious information disclosure because attackers can retrieve the full source code of server-side scripts and related data files by triggering errors.

Exposed source code may contain sensitive information such as API keys, credentials, or other secrets, which can be exploited to compromise the server or escalate attacks.

Since the vulnerability returns sensitive data with HTTP 200 OK responses, it may be difficult to detect or block such information leaks using standard error monitoring.

Executive Summary

CVE-2026-45728 is a vulnerability in the Algernon web server that occurs when it is run in single-file mode (for example, running 'algernon foo.lua'). In this mode, debug mode is forcibly enabled regardless of other settings.

Debug mode activates a feature called PrettyError renderer, which, upon any Lua or template error, returns an HTTP 200 OK response containing the absolute file path, the full byte contents of the file that caused the error, and detailed error or parser messages.

This means that any client able to reach the server and trigger a runtime error in the served script can obtain the full server-side source code of that script and any related Lua data files consulted during the request.

Detection Guidance

This vulnerability can be detected by checking if the Algernon web server is running in single-file mode, which forcibly enables debug mode and exposes sensitive source code in error responses.

One way to detect exploitation attempts is to monitor HTTP responses for error messages that include absolute file paths, full source code contents, or Lua/template error details served with HTTP 200 OK status.

You can also check the server startup commands to see if Algernon is invoked with a single file path (e.g., `algernon foo.lua`), which triggers the vulnerable mode.

Suggested commands to detect this condition include:

  • Check running Algernon processes and their arguments: `ps aux | grep algernon`
  • Monitor HTTP traffic for suspicious responses containing source code or error details with tools like `tcpdump` or `Wireshark` filtering HTTP 200 responses with error content.
  • Use curl or wget to send requests that trigger errors in Lua or template scripts and observe if the response discloses source code, for example: `curl http://yourserver/path/to/trigger/error`
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Algernon to version 1.17.7 or later, where the issue is fixed.

Avoid running Algernon in single-file mode by invoking it with a directory path instead of a single file.

Ensure that the `--prod` flag or production mode settings take precedence over single-file mode to prevent debug mode from being forcibly enabled.

Limit error disclosures by configuring the server to avoid sending detailed error messages or source code in HTTP responses.

Compliance Impact

This vulnerability causes the Algernon web server to expose sensitive server-side source code, including potentially secrets like API keys or credentials, to any client able to trigger an error. Such exposure of sensitive information can lead to unauthorized data disclosure.

Exposure of sensitive information can violate common compliance standards and regulations such as GDPR and HIPAA, which require protection of personal data and sensitive information from unauthorized access or disclosure.

Therefore, this vulnerability negatively impacts compliance by increasing the risk of data breaches and unauthorized information disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart