CVE-2026-45721: CWE-20: Improper Input Validation in xyproto algernon
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.
AI Analysis
Technical Summary
Algernon versions before 1.17.7 contain an improper input validation vulnerability (CWE-20) where the server's directory page handler (DirPage) walks upward through parent directories beyond the server root to find a handler.lua script. This script, if found, is executed with full privileges and access to sensitive APIs, including OS command execution and database access. The search continues up to 100 ancestor directories or until the filesystem root is reached. Because the permission system only restricts URL prefixes and not this handler resolution step, any unauthenticated request to a directory without an index file triggers this upward search, enabling remote code execution if an attacker can write handler.lua in any parent directory. This vulnerability is rated critical with a CVSS 3.1 score of 9.0 and is fixed in version 1.17.7.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on the server with full access to the Algernon API, including OS command execution and database manipulation. This can lead to complete system compromise, data theft, or disruption of service. The vulnerability affects all installations running versions prior to 1.17.7 and is triggered by simple HTTP requests to directories without index files.
Mitigation Recommendations
Upgrade Algernon to version 1.17.7 or later, where this vulnerability is fixed. There is no indication of any temporary or alternative mitigation. Until patched, prevent untrusted users from writing handler.lua files in any parent directories of the server root to avoid exploitation.
CVE-2026-45721: CWE-20: Improper Input Validation in xyproto algernon
Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.
CVSS v3.1
Score 9.0critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Algernon versions before 1.17.7 contain an improper input validation vulnerability (CWE-20) where the server's directory page handler (DirPage) walks upward through parent directories beyond the server root to find a handler.lua script. This script, if found, is executed with full privileges and access to sensitive APIs, including OS command execution and database access. The search continues up to 100 ancestor directories or until the filesystem root is reached. Because the permission system only restricts URL prefixes and not this handler resolution step, any unauthenticated request to a directory without an index file triggers this upward search, enabling remote code execution if an attacker can write handler.lua in any parent directory. This vulnerability is rated critical with a CVSS 3.1 score of 9.0 and is fixed in version 1.17.7.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on the server with full access to the Algernon API, including OS command execution and database manipulation. This can lead to complete system compromise, data theft, or disruption of service. The vulnerability affects all installations running versions prior to 1.17.7 and is triggered by simple HTTP requests to directories without index files.
Mitigation Recommendations
Upgrade Algernon to version 1.17.7 or later, where this vulnerability is fixed. There is no indication of any temporary or alternative mitigation. Until patched, prevent untrusted users from writing handler.lua files in any parent directories of the server root to avoid exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T05:51:48.666Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15d22e891d628fdc600894
Added to database: 5/26/2026, 5:02:38 PM
Last enriched: 5/26/2026, 5:32:06 PM
Last updated: 5/26/2026, 9:50:08 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.