CVE-2026-48126
Deferred Deferred - Pending Action
Directory Traversal in Algernon Web Server

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory β€” arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48126
EUVD
EUVD-2026-31881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xyproto algernon to 1.17.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48126 is a high-severity path traversal vulnerability in the Algernon web server (versions up to 1.17.7). When Algernon is started with the --domain or --letsencrypt flags, it resolves the served directory by joining the configured directory with the client-supplied Host header without proper validation.

Because the Host header is not validated, an attacker can supply a Host header with the value ".." to traverse one level above the document root. This allows the attacker to read arbitrary files, list directories, and if any .lua files exist in that parent directory, execute server-side Lua scripts remotely.

This vulnerability arises from the use of filepath.Join without sanitizing the Host header, enabling path traversal and remote code execution.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive files and data, full directory listings of parent directories, and remote code execution if Lua scripts are present.

An attacker can exploit this to read confidential information, compromise the integrity of the server by executing arbitrary code, and potentially disrupt services.

The CVSS score of 8.2 indicates a high severity with high confidentiality impact and potential integrity loss.

Detection Guidance

This vulnerability can be detected by checking if the Algernon web server is running with the --domain or --letsencrypt flags and if it accepts Host headers that contain path traversal sequences such as '..'.

One way to test for the vulnerability is to send HTTP requests with a Host header set to '..' and observe if the server responds with files or directory listings from the parent directory of the configured document root.

  • Use curl to send a request with a malicious Host header: curl -H "Host: .." http://<server-address>/
  • Check if the response contains files or directory listings outside the expected document root.
Mitigation Strategies

The immediate mitigation step is to upgrade Algernon to version 1.17.8 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, avoid running Algernon with the --domain or --letsencrypt flags, as these enable the vulnerable directory resolution mode.

Additionally, implement validation on the Host header to reject any path traversal sequences such as '..', '/', or '\' to prevent directory traversal attacks.

Compliance Impact

This vulnerability allows unauthenticated remote attackers to read arbitrary files and list directories outside the intended document root, potentially exposing sensitive data.

Such unauthorized data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Additionally, the possibility of remote code execution could compromise data integrity, further impacting compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart