CVE-2026-46431
Cross-Origin EventSource in Algernon Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xyproto | algernon | to 1.17.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-46431 vulnerability affects the Algernon web server (versions up to 1.17.6) and involves an insecure Cross-Origin Resource Sharing (CORS) configuration in its Server-Sent Events (SSE) endpoint.
Specifically, the server hardcodes the Access-Control-Allow-Origin response header to the wildcard '*', which means any third-party website can access the SSE stream using JavaScript's EventSource API without authentication or special permissions.
Because EventSource does not send cookies or perform preflight requests, this wildcard setting allows any malicious third-party page a user visits to open a cross-origin EventSource connection to the SSE port and read live filename streams, potentially exposing sensitive information.
The vulnerability is fixed in version 1.17.7 by replacing the wildcard with a same-origin allow-list or removing the dedicated SSE port to enforce same-origin policies.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized third-party websites to access live event streams from the Algernon server without user consent beyond visiting a malicious page.
An attacker could exploit this to read sensitive file-change events or other data exposed via the SSE stream, leading to data exfiltration.
Since the attack requires only that a user visits a malicious page, it can be triggered with low complexity and no special privileges, making it a moderate risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Algernon web server (version 1.17.6 or earlier) is responding with the HTTP header `Access-Control-Allow-Origin: *` on its Server-Sent Events (SSE) endpoint.
You can use command-line tools like curl to inspect the response headers from the SSE endpoint. For example:
- curl -I http://your-algernon-server/sse-endpoint
Look for the presence of the header `Access-Control-Allow-Origin: *` in the response. If it is present, the server is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Algernon to version 1.17.7 or later where the issue is fixed.
If upgrading is not immediately possible, consider removing or disabling the dedicated SSE port to rely on same-origin policies, or configure the server to replace the wildcard `Access-Control-Allow-Origin: *` header with a same-origin allow-list.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized cross-origin access to sensitive file-change event streams via a permissive CORS policy, potentially leading to data exfiltration without user consent or authentication.
Such unauthorized data exposure could conflict with compliance requirements in standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive data access and transmission.
By allowing any third-party website to read live filename streams, the vulnerability undermines data confidentiality and could result in violations of privacy and data protection regulations.