CVE-2026-46430
Deferred Deferred - Pending Action
SSE Event Server Binding to All Interfaces in Algernon

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46430
EUVD
EUVD-2026-31869
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xyproto algernon to 1.17.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-46430 affects the Algernon web server (versions up to 1.17.6) on Linux and macOS. The Server-Sent Events (SSE) event server binds to all network interfaces (0.0.0.0:5553) by default instead of just the loopback address (localhost). This happens because the platform-dependent default host is set to an empty string for non-Windows systems, which resolves to all interfaces when combined with the port.

On Windows, the default is correctly set to "localhost," binding only to the loopback address. This misconfiguration on Linux/macOS allows any device on the local network (LAN) to connect to the SSE endpoint without authentication.

As a result, sensitive information such as file-change streams and edit timings can be exposed, leading to potential information disclosure.

Compliance Impact

The vulnerability allows any LAN peer to connect to the SSE endpoint without authentication, exposing file-change streams and edit timings, which leads to potential information disclosure.

This exposure of potentially sensitive information could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding of confidential information and prevention of unauthorized access.

However, the vulnerability is classified as a medium confidentiality risk with no direct integrity or availability impact.

Impact Analysis

This vulnerability can impact you by exposing sensitive information to any device on your local network without requiring authentication.

Specifically, it allows LAN peers to access the SSE endpoint and view file-change streams and edit timings, which could reveal confidential or private data.

The impact is classified as a medium confidentiality risk, with no direct impact on data integrity or system availability.

Detection Guidance

This vulnerability can be detected by checking if the Algernon SSE event server is listening on all network interfaces (0.0.0.0) at port 5553 on Linux or macOS systems.

  • Use the command `netstat -tuln | grep 5553` or `ss -tuln | grep 5553` to see if port 5553 is bound to 0.0.0.0.
  • Alternatively, use `lsof -i :5553` to identify the process listening on port 5553 and verify if it is the Algernon server.

If the SSE event server is bound to 0.0.0.0:5553 instead of localhost:5553, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Algernon to version 1.17.7 or later where the issue is fixed.

If upgrading is not immediately possible, configure the SSE event server to bind explicitly to localhost (127.0.0.1) instead of all interfaces by modifying the server configuration or source code.

Alternatively, mount the SSE handler on the main server mux to avoid a separate listener on all interfaces.

Restrict network access to port 5553 using firewall rules to block LAN peers from connecting to this port.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart