Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
Published: 2026-05-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 1.17.8, the Algernon web server allows a Host header containing a path traversal sequence to affect the directory resolution performed when the server is run with the --domain or --letsencrypt flags. An attacker can send an HTTP request with a Host header such as Host: .., causing the server to join the configured document root with the supplied value and read files from the parent directory. This flaw permits arbitrary local file disclosure, exhaustive directory listings, and, if any .lua files exist in the parent directory, execution of Lua code on the server. The vulnerability is characterized by CWE-22, CWE-23, and CWE-644, and can lead to remote code execution and compromise of confidentiality, integrity, and availability.

Affected Systems

The impacted product is the Algernon web server developed by xyproto, specifically any release earlier than 1.17.8. All versions that support the --domain or --letsencrypt startup options without validating the Host header are vulnerable. Users deploying these older releases should verify their version and apply the patch when available.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability, while the EPSS is not available. The issue is not currently listed in CISA’s KEV catalog. An attacker can exploit the flaw simply by sending an HTTP request to a server running a vulnerable version of Algernon. The required conditions are a reachable HTTP port and the server being started with the --domain or --letsencrypt options, both of which are common in production deployments. Successful exploitation can result in reading arbitrary files, listing directory contents, and executing Lua scripts, thereby compromising system integrity.

Generated by OpenCVE AI on May 26, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Algernon 1.17.8 or later where the Host header validation bug is fixed.
  • If an upgrade is not immediately possible, disable the --domain and --letsencrypt flags or replace the server with another that does not use the vulnerable path resolution logic.
  • Restrict network access to the server using firewalls or access controls to limit exposure to trusted clients.

Generated by OpenCVE AI on May 26, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Xyproto
Xyproto algernon
Vendors & Products Xyproto
Xyproto algernon

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
Title Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Weaknesses CWE-22
CWE-23
CWE-644
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Xyproto Algernon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:27:56.507Z

Reserved: 2026-05-20T18:46:58.291Z

Link: CVE-2026-48126

cve-icon Vulnrichment

Updated: 2026-05-26T17:27:11.550Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:53.360

Modified: 2026-05-26T19:26:42.643

Link: CVE-2026-48126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:25Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-23

    Relative Path Traversal

  • CWE-644

    Improper Neutralization of HTTP Headers for Scripting Syntax