CVE-2026-43982 Overview
CVE-2026-43982 is a path traversal vulnerability in Algernon, a self-contained pure-Go web server. The flaw resides in the uploadedFileSaveIn() function within lua/upload/upload.go. The function calls filepath.Join() with a caller-supplied directory but omits any boundary check after joining the paths. An attacker can supply a directory value such as ../../../tmp, which resolves cleanly to /tmp outside the configured web root. The issue is tracked under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Algernon version 1.17.6 fixes the vulnerability.
Critical Impact
Remote unauthenticated attackers can write uploaded files to arbitrary filesystem locations outside the web root, enabling integrity compromise of host files.
Affected Products
- Algernon web server versions prior to 1.17.6
- Applications embedding Algernon's Lua upload handler
- Deployments exposing the upload endpoint to untrusted clients
Discovery Timeline
- 2026-05-26 - CVE-2026-43982 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-43982
Vulnerability Analysis
The vulnerability exists in Algernon's Lua-based file upload handler. The uploadedFileSaveIn() function accepts a destination directory parameter from the calling context and concatenates it with the upload filename using Go's filepath.Join(). While filepath.Join() normalizes path separators and resolves .. segments, it does not enforce that the resulting path remains inside an intended base directory.
A caller-supplied directory containing parent-directory traversal sequences such as ../../../tmp collapses during normalization into an absolute path like /tmp. The handler then writes the uploaded file to that resolved location without verifying containment within the web root. This allows attackers to place arbitrary content into directories chosen by the attacker.
The vulnerability is exploitable over the network without authentication or user interaction. Impact is limited to integrity of the file system, as the flaw does not directly expose data confidentiality or service availability.
Root Cause
The root cause is missing boundary validation after path joining. Secure handling requires resolving the joined path to its canonical form and verifying that the result has the intended base directory as a prefix. Algernon's pre-1.17.6 code performs only the join, trusting the caller-supplied directory string.
Attack Vector
An attacker sends a crafted upload request to a Lua route that invokes uploadedFileSaveIn() with attacker-influenced directory input. The traversal sequence escapes the configured upload directory and writes the file payload to a location outside the web root. Depending on filesystem permissions, attackers can overwrite configuration files, drop executables into directories scanned by other services, or place files in locations that affect subsequent server behavior.
No verified exploitation code is publicly available for this issue. Technical specifics are documented in the GitHub Security Advisory GHSA-2j2c-pv62-mmcp and GitHub Issue #172.
Detection Methods for CVE-2026-43982
Indicators of Compromise
- Files appearing in filesystem locations outside the Algernon web root with timestamps matching upload activity
- HTTP upload requests containing .. sequences or absolute paths in directory-related parameters
- Unexpected writes to system directories such as /tmp, /var, or user home directories by the Algernon process
Detection Strategies
- Inspect Algernon access logs for POST requests targeting Lua upload endpoints with suspicious parameter values containing ../ patterns
- Audit the filesystem for files owned by the Algernon service account residing outside the configured document root
- Review Lua scripts that invoke uploadedFileSaveIn() to identify whether directory arguments derive from request input
Monitoring Recommendations
- Enable file integrity monitoring on directories adjacent to and above the Algernon web root
- Forward web server and filesystem audit events to a centralized logging pipeline for correlation
- Alert on Algernon process write operations to paths outside its configured working directory
How to Mitigate CVE-2026-43982
Immediate Actions Required
- Upgrade Algernon to version 1.17.6 or later on all affected hosts
- Audit Lua scripts that handle uploads and confirm directory parameters are not derived from untrusted input
- Run the Algernon process under a least-privilege account that cannot write to sensitive system directories
Patch Information
The maintainer fixed the vulnerability in Algernon 1.17.6 by adding boundary validation to the upload path handling. Refer to the GitHub Security Advisory GHSA-2j2c-pv62-mmcp for release details and to GitHub Issue #172 for the underlying report.
Workarounds
- Restrict access to upload endpoints using reverse proxy authentication or network-level controls until patching is complete
- Sanitize directory inputs in Lua handlers by rejecting any value containing .. or absolute path prefixes
- Confine the Algernon process with filesystem isolation mechanisms such as containers, chroot, or systemd directory restrictions
# Configuration example: validate that the resolved path stays within the web root
# Pseudocode for a Lua upload guard prior to upgrading
# local base = "/var/www/uploads"
# local target = path.canonical(path.join(base, user_dir))
# if not target:startswith(base) then error("path traversal blocked") end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
