CVE-2026-45728 Overview
CVE-2026-45728 is a source code disclosure vulnerability in Algernon, a self-contained pure-Go web server. Versions prior to 1.17.7 are affected. When Algernon is invoked with a single file path rather than a directory, the server enables singleFileMode and forcibly activates debugMode. This configuration enables the PrettyError renderer, which exposes server-side file contents in error responses. Any unauthenticated network client that can trigger a runtime error in the served Lua script receives the full source of the file and any sibling Lua data files consulted during the request. The flaw is tracked as CWE-209: Generation of Error Message Containing Sensitive Information.
Critical Impact
Unauthenticated remote attackers can retrieve full server-side Lua source code, including any secrets, credentials, or business logic embedded in scripts.
Affected Products
- Algernon web server versions prior to 1.17.7
- Deployments invoking Algernon with a single file path argument (single-file mode)
- Applications relying on Lua scripts or templates served by vulnerable Algernon instances
Discovery Timeline
- 2026-05-26 - CVE-2026-45728 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-45728
Vulnerability Analysis
The vulnerability resides in Algernon's startup logic for single-file invocation. Launching the server with a file path argument sets singleFileMode = true and unconditionally enables debugMode. Debug mode activates the PrettyError renderer, which is intended to assist developers during local testing. When a Lua script or template raises a runtime or parser error, the renderer constructs an HTTP 200 OK response containing the absolute file path of the failing script, the complete byte contents of that file, and the verbatim exception or parser error text. Sibling Lua data files read during the failing request are also disclosed. Because no authentication or origin check gates this response, any reachable client that can provoke a script-level error receives the full source.
Root Cause
The root cause is an insecure default configuration combined with verbose error reporting. Algernon couples singleFileMode with debugMode without operator opt-in, treating any single-file deployment as a trusted development environment. The PrettyError renderer then prioritizes debugging detail over confidentiality, embedding file contents directly in HTTP responses delivered to the requesting client.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker identifies an Algernon instance running in single-file mode, then crafts a request that causes the served Lua script or template to throw a runtime error. Common triggers include malformed parameters, type mismatches, or requests that drive the script into unhandled code paths. The server responds with the script's source code and any related Lua data files read during execution. No verified public exploit code is referenced in the advisory. Refer to the GitHub Security Advisory GHSA-fwqx-8365-9983 for additional technical context.
Detection Methods for CVE-2026-45728
Indicators of Compromise
- HTTP 200 OK responses containing absolute filesystem paths and raw Lua source content in the response body
- Web server access logs showing requests with malformed parameters or fuzzing patterns targeting Lua endpoints
- Outbound responses larger than typical script output, correlated with parser or runtime error strings
Detection Strategies
- Inspect Algernon process command lines for invocations that pass a single file path rather than a directory, indicating singleFileMode is active
- Review HTTP response bodies for PrettyError markers, Lua stack traces, or absolute path strings characteristic of debug output
- Compare deployed Algernon binary versions against 1.17.7 and flag any earlier release in production
Monitoring Recommendations
- Enable full request and response logging at the reverse proxy or WAF layer to capture error responses for forensic review
- Alert on response bodies containing Lua error keywords such as attempt to, nil value, or parser error originating from Algernon hosts
- Track repeated error-inducing requests from the same source IP, which may indicate active source code harvesting
How to Mitigate CVE-2026-45728
Immediate Actions Required
- Upgrade all Algernon instances to version 1.17.7 or later, which removes the forced debug mode coupling
- Audit deployment scripts and service unit files for invocations that pass a single file path and restructure them to serve from a directory where feasible
- Rotate any credentials, API keys, or secrets that may have been embedded in Lua scripts served by vulnerable instances
Patch Information
The vendor released the fix in Algernon 1.17.7. The patch decouples debugMode from singleFileMode, preventing automatic activation of the PrettyError renderer. Operators should consult the GitHub Security Advisory GHSA-fwqx-8365-9983 for release notes and upgrade guidance.
Workarounds
- If immediate upgrade is not possible, restructure deployments to serve content from a directory rather than a single file path, avoiding singleFileMode
- Place Algernon behind a reverse proxy that strips or rewrites response bodies containing error signatures and absolute file paths
- Restrict network reachability of Algernon instances to trusted clients using firewall rules or IP allowlists until patching is complete
# Configuration example: upgrade and verify Algernon version
go install github.com/xyproto/algernon@v1.17.7
algernon --version
# Serve from a directory rather than a single file to avoid singleFileMode
algernon /var/www/site
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
