CVE-2026-45728
Information Exposure in Algernon Web Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xyproto | algernon | to 1.17.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
| CWE-489 | The product is released with debugging code still enabled or active. |
| CWE-540 | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to serious information disclosure because attackers can retrieve the full source code of server-side scripts and related data files by triggering errors.
Exposed source code may contain sensitive information such as API keys, credentials, or other secrets, which can be exploited to compromise the server or escalate attacks.
Since the vulnerability returns sensitive data with HTTP 200 OK responses, it may be difficult to detect or block such information leaks using standard error monitoring.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes the Algernon web server to expose sensitive server-side source code, including potentially secrets like API keys or credentials, to any client able to trigger an error. Such exposure of sensitive information can lead to unauthorized data disclosure.
Exposure of sensitive information can violate common compliance standards and regulations such as GDPR and HIPAA, which require protection of personal data and sensitive information from unauthorized access or disclosure.
Therefore, this vulnerability negatively impacts compliance by increasing the risk of data breaches and unauthorized information disclosure.
Can you explain this vulnerability to me?
CVE-2026-45728 is a vulnerability in the Algernon web server that occurs when it is run in single-file mode (for example, running 'algernon foo.lua'). In this mode, debug mode is forcibly enabled regardless of other settings.
Debug mode activates a feature called PrettyError renderer, which, upon any Lua or template error, returns an HTTP 200 OK response containing the absolute file path, the full byte contents of the file that caused the error, and detailed error or parser messages.
This means that any client able to reach the server and trigger a runtime error in the served script can obtain the full server-side source code of that script and any related Lua data files consulted during the request.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Algernon web server is running in single-file mode, which forcibly enables debug mode and exposes sensitive source code in error responses.
One way to detect exploitation attempts is to monitor HTTP responses for error messages that include absolute file paths, full source code contents, or Lua/template error details served with HTTP 200 OK status.
You can also check the server startup commands to see if Algernon is invoked with a single file path (e.g., `algernon foo.lua`), which triggers the vulnerable mode.
Suggested commands to detect this condition include:
- Check running Algernon processes and their arguments: `ps aux | grep algernon`
- Monitor HTTP traffic for suspicious responses containing source code or error details with tools like `tcpdump` or `Wireshark` filtering HTTP 200 responses with error content.
- Use curl or wget to send requests that trigger errors in Lua or template scripts and observe if the response discloses source code, for example: `curl http://yourserver/path/to/trigger/error`
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Algernon to version 1.17.7 or later, where the issue is fixed.
Avoid running Algernon in single-file mode by invoking it with a directory path instead of a single file.
Ensure that the `--prod` flag or production mode settings take precedence over single-file mode to prevent debug mode from being forcibly enabled.
Limit error disclosures by configuring the server to avoid sending detailed error messages or source code in HTTP responses.