CVE-2026-46431
Deferred Deferred - Pending Action
Cross-Origin EventSource in Algernon Server

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46431
EUVD
EUVD-2026-31870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xyproto algernon to 1.17.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized cross-origin access to sensitive file-change event streams via a permissive CORS policy, potentially leading to data exfiltration without user consent or authentication.

Such unauthorized data exposure could conflict with compliance requirements in standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive data access and transmission.

By allowing any third-party website to read live filename streams, the vulnerability undermines data confidentiality and could result in violations of privacy and data protection regulations.

Executive Summary

The CVE-2026-46431 vulnerability affects the Algernon web server (versions up to 1.17.6) and involves an insecure Cross-Origin Resource Sharing (CORS) configuration in its Server-Sent Events (SSE) endpoint.

Specifically, the server hardcodes the Access-Control-Allow-Origin response header to the wildcard '*', which means any third-party website can access the SSE stream using JavaScript's EventSource API without authentication or special permissions.

Because EventSource does not send cookies or perform preflight requests, this wildcard setting allows any malicious third-party page a user visits to open a cross-origin EventSource connection to the SSE port and read live filename streams, potentially exposing sensitive information.

The vulnerability is fixed in version 1.17.7 by replacing the wildcard with a same-origin allow-list or removing the dedicated SSE port to enforce same-origin policies.

Impact Analysis

This vulnerability can allow unauthorized third-party websites to access live event streams from the Algernon server without user consent beyond visiting a malicious page.

An attacker could exploit this to read sensitive file-change events or other data exposed via the SSE stream, leading to data exfiltration.

Since the attack requires only that a user visits a malicious page, it can be triggered with low complexity and no special privileges, making it a moderate risk.

Detection Guidance

This vulnerability can be detected by checking if the Algernon web server (version 1.17.6 or earlier) is responding with the HTTP header `Access-Control-Allow-Origin: *` on its Server-Sent Events (SSE) endpoint.

You can use command-line tools like curl to inspect the response headers from the SSE endpoint. For example:

  • curl -I http://your-algernon-server/sse-endpoint

Look for the presence of the header `Access-Control-Allow-Origin: *` in the response. If it is present, the server is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Algernon to version 1.17.7 or later where the issue is fixed.

If upgrading is not immediately possible, consider removing or disabling the dedicated SSE port to rely on same-origin policies, or configure the server to replace the wildcard `Access-Control-Allow-Origin: *` header with a same-origin allow-list.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46431. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart