Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.
Published: 2026-05-26
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Algernon web server allows an attacker to achieve remote code execution by placing a handler.lua file in any directory above the server root. The server’s DirPage function traverses up to 100 ancestor directories looking for that file before applying permission checks, so an attacker who can write to any parent directory can cause the file to be loaded into the Lua interpreter. The interpreter has full access to the server’s API, including system commands and database connections, which means the attacker can run arbitrary code on the host with the privileges of the server process. This capability is exercised before any authentication is required, so an unauthenticated user can trigger the exploit with a single GET request to a directory lacking an index file. The impact is pre‑authenticated remote code execution affecting confidentiality, integrity, and availability.

Affected Systems

This issue affects the xyproto:algernon web server, specifically all releases older than version 1.17.7. The problem was present in every version before that point, and the fix was introduced in 1.17.7. System administrators should verify the vendor version of each deployed instance and plan an upgrade for any instance running 1.17.6 or earlier.

Risk and Exploitability

The CVSS score of 9 denotes critical severity. EPSS information is not provided, so the current likelihood of exploitation cannot be quantified from OpenSSF data, but the vulnerability is listed as not in the CISA KEV catalog. The exploit is trivial from a filesystem perspective: any account that can write to a directory above the configured root can create the handler.lua file, and the next HTTP request to an unindexed directory will trigger the walk and execution. Because the lookup occurs before the permission system is consulted, authentication is not required, giving attackers broad opportunity. The attack vector is a local or remote process capable of writing to the server filesystem, most commonly an attacker who has compromised the server or gained write access via another vulnerability.

Generated by OpenCVE AI on May 26, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 1.17.7 or later.
  • Disable Lua support or remove the Lua interpreter from the build if function not needed.
  • Ensure the server process runs with the minimum necessary filesystem permissions and that no writable directories exist above the configured root.
  • Monitor the filesystem for unexpected handler.lua files and treat their discovery as a security event.

Generated by OpenCVE AI on May 26, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xwcr-wm99-g9jc Algernon: handler.lua discovery walks parent directories above the server root
History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Xyproto
Xyproto algernon
Vendors & Products Xyproto
Xyproto algernon

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.
Title Algernon: handler.lua discovery walks parent directories above the server root
Weaknesses CWE-20
CWE-426
CWE-552
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Xyproto Algernon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:15:34.450Z

Reserved: 2026-05-13T05:51:48.666Z

Link: CVE-2026-45721

cve-icon Vulnrichment

Updated: 2026-05-26T17:13:06.865Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:47.750

Modified: 2026-05-26T19:26:42.643

Link: CVE-2026-45721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:46Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-426

    Untrusted Search Path

  • CWE-552

    Files or Directories Accessible to External Parties