CVE-2026-48126
Directory Traversal in Algernon Web Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xyproto | algernon | to 1.17.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| CWE-644 | The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48126 is a high-severity path traversal vulnerability in the Algernon web server (versions up to 1.17.7). When Algernon is started with the --domain or --letsencrypt flags, it resolves the served directory by joining the configured directory with the client-supplied Host header without proper validation.
Because the Host header is not validated, an attacker can supply a Host header with the value ".." to traverse one level above the document root. This allows the attacker to read arbitrary files, list directories, and if any .lua files exist in that parent directory, execute server-side Lua scripts remotely.
This vulnerability arises from the use of filepath.Join without sanitizing the Host header, enabling path traversal and remote code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to read arbitrary files and list directories outside the intended document root, potentially exposing sensitive data.
Such unauthorized data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Additionally, the possibility of remote code execution could compromise data integrity, further impacting compliance with these standards.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive files and data, full directory listings of parent directories, and remote code execution if Lua scripts are present.
An attacker can exploit this to read confidential information, compromise the integrity of the server by executing arbitrary code, and potentially disrupt services.
The CVSS score of 8.2 indicates a high severity with high confidentiality impact and potential integrity loss.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Algernon web server is running with the --domain or --letsencrypt flags and if it accepts Host headers that contain path traversal sequences such as '..'.
One way to test for the vulnerability is to send HTTP requests with a Host header set to '..' and observe if the server responds with files or directory listings from the parent directory of the configured document root.
- Use curl to send a request with a malicious Host header: curl -H "Host: .." http://<server-address>/
- Check if the response contains files or directory listings outside the expected document root.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Algernon to version 1.17.8 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, avoid running Algernon with the --domain or --letsencrypt flags, as these enable the vulnerable directory resolution mode.
Additionally, implement validation on the Host header to reject any path traversal sequences such as '..', '/', or '\' to prevent directory traversal attacks.