CVE-2026-46430
SSE Event Server Binding to All Interfaces in Algernon
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xyproto | algernon | to 1.17.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any LAN peer to connect to the SSE endpoint without authentication, exposing file-change streams and edit timings, which leads to potential information disclosure.
This exposure of potentially sensitive information could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding of confidential information and prevention of unauthorized access.
However, the vulnerability is classified as a medium confidentiality risk with no direct integrity or availability impact.
Can you explain this vulnerability to me?
The vulnerability CVE-2026-46430 affects the Algernon web server (versions up to 1.17.6) on Linux and macOS. The Server-Sent Events (SSE) event server binds to all network interfaces (0.0.0.0:5553) by default instead of just the loopback address (localhost). This happens because the platform-dependent default host is set to an empty string for non-Windows systems, which resolves to all interfaces when combined with the port.
On Windows, the default is correctly set to "localhost," binding only to the loopback address. This misconfiguration on Linux/macOS allows any device on the local network (LAN) to connect to the SSE endpoint without authentication.
As a result, sensitive information such as file-change streams and edit timings can be exposed, leading to potential information disclosure.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive information to any device on your local network without requiring authentication.
Specifically, it allows LAN peers to access the SSE endpoint and view file-change streams and edit timings, which could reveal confidential or private data.
The impact is classified as a medium confidentiality risk, with no direct impact on data integrity or system availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Algernon SSE event server is listening on all network interfaces (0.0.0.0) at port 5553 on Linux or macOS systems.
- Use the command `netstat -tuln | grep 5553` or `ss -tuln | grep 5553` to see if port 5553 is bound to 0.0.0.0.
- Alternatively, use `lsof -i :5553` to identify the process listening on port 5553 and verify if it is the Algernon server.
If the SSE event server is bound to 0.0.0.0:5553 instead of localhost:5553, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Algernon to version 1.17.7 or later where the issue is fixed.
If upgrading is not immediately possible, configure the SSE event server to bind explicitly to localhost (127.0.0.1) instead of all interfaces by modifying the server configuration or source code.
Alternatively, mount the SSE handler on the main server mux to avoid a separate listener on all interfaces.
Restrict network access to port 5553 using firewall rules to block LAN peers from connecting to this port.