CVE-2026-45721 Overview
CVE-2026-45721 is a pre-authentication remote code execution vulnerability in Algernon, a self-contained pure-Go web server. The flaw resides in the DirPage function, which walks upward through parent directories searching for a handler.lua file when a URL resolves to a directory without an index file. The search escapes the configured server root and traverses up to 100 ancestor directories or until the filesystem root is reached. Any attacker-controlled handler.lua discovered along this path is loaded into the Lua interpreter with the full Algernon API exposed. Versions prior to 1.17.7 are affected.
Critical Impact
An unauthenticated HTTP request such as GET / against a stock Algernon install triggers execution of any handler.lua located in a parent directory, granting full code execution via os.execute, io.popen, and raw filesystem access.
Affected Products
- Algernon web server versions prior to 1.17.7
- Deployments using default configuration with directory-based routing
- Any Algernon instance where an attacker can write handler.lua to a parent directory of the server root
Discovery Timeline
- 2026-05-26 - CVE-2026-45721 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-45721
Vulnerability Analysis
The vulnerability is an improper input validation flaw [CWE-20] in Algernon's request handler resolution logic. When a request URL maps to a directory lacking an index file, the DirPage routine attempts to locate a Lua handler by walking the directory hierarchy upward. The termination condition stops only after 100 iterations or when filepath.Dir returns ., meaning absolute server-root paths traverse all the way to / on Unix or the drive letter on Windows. The first handler.lua encountered is executed with the complete Algernon API surface, including run3(), httpclient, os.execute, io.popen, PostgreSQL (PQ) and MSSQL bindings, raw filesystem access, and the userstate database.
Root Cause
The handler resolution step lacks a boundary check against the configured server root. The Algernon permission system gates only URL prefixes, not the file-resolution walk that precedes the permission check. As a result, the upward directory traversal occurs before any authentication or authorization logic executes.
Attack Vector
An attacker who can write a handler.lua file to any parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. On a fresh stock installation, an unauthenticated GET / request is sufficient to trigger the walk and execute attacker-controlled Lua code. The attack vector is network-based and requires no user interaction. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-45721
Indicators of Compromise
- Unexpected handler.lua files present in parent directories of the configured Algernon server root
- Algernon process spawning child processes through os.execute or io.popen Lua bindings
- Outbound network connections initiated by the Algernon process via the httpclient Lua module
- HTTP access log entries for directory paths returning unexpected dynamic content
Detection Strategies
- Audit the filesystem for any handler.lua files outside the intended Algernon document root
- Monitor the Algernon binary for unexpected execve calls, file writes outside the server root, or new outbound socket connections
- Inspect HTTP logs for requests to directory paths (URLs without file extensions) that returned 200 responses on a server expected to serve only static content
Monitoring Recommendations
- Enable process execution auditing on hosts running Algernon and alert on child processes of the web server
- Track filesystem write events targeting parent directories of the Algernon server root
- Forward Algernon access and error logs to a centralized log platform for correlation with process telemetry
How to Mitigate CVE-2026-45721
Immediate Actions Required
- Upgrade Algernon to version 1.17.7 or later, which fixes the unbounded directory walk
- Scan all parent directories of every Algernon server root for unauthorized handler.lua files and remove any not explicitly deployed
- Restrict write permissions on parent directories of the server root so only trusted accounts can create files there
- Run Algernon under a dedicated low-privilege user account to limit post-exploitation impact
Patch Information
The vulnerability is fixed in Algernon 1.17.7. The patch constrains the handler.lua lookup to remain within the configured server root rather than walking up to the filesystem root. Refer to the GitHub Security Advisory GHSA-xwcr-wm99-g9jc for release details.
Workarounds
- Place an index file (such as index.html or index.lua) in every directory served by Algernon to prevent the DirPage walk from triggering
- Deploy Algernon inside a container or chroot so that the upward directory walk cannot reach attacker-writable locations
- Disable Lua handler execution if the deployment only requires static content serving
# Upgrade Algernon to the patched release
go install github.com/xyproto/algernon@v1.17.7
# Verify no unauthorized handler.lua files exist above the server root
find / -name 'handler.lua' -not -path '/path/to/serverroot/*' 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
