CVE-2026-46430 Overview
CVE-2026-46430 affects Algernon, a small self-contained pure-Go web server. Versions prior to 1.17.7 bind the Server-Sent Events (SSE) event server to 0.0.0.0:5553 by default on Linux and macOS systems. The platform-dependent host default in engine/flags.go:39-46 sets host = "" for non-Windows platforms, and utils.JoinHostPort("", ":5553") resolves to :5553. This exposes the SSE event server to any host that can reach the machine on the adjacent network. The vulnerability is tracked under [CWE-668: Exposure of Resource to Wrong Sphere] and is fixed in version 1.17.7.
Critical Impact
Adjacent network attackers can connect to the SSE event server intended for local use, resulting in low-impact confidentiality exposure of event stream data.
Affected Products
- Algernon web server versions prior to 1.17.7 on Linux
- Algernon web server versions prior to 1.17.7 on macOS
- Algernon deployments using default SSE event server configuration
Discovery Timeline
- 2026-05-26 - CVE-2026-46430 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-46430
Vulnerability Analysis
The vulnerability stems from an insecure default network binding in the Algernon web server. The SSE event server, intended for local communication with web clients, listens on all network interfaces rather than the loopback interface. Attackers on the same network segment can connect to TCP port 5553 and consume server-sent events. This exposes event stream data that developers expect to remain local to the host.
The attack requires adjacent network access according to the CVSS vector. No authentication or user interaction is required to establish a connection. The impact is limited to confidentiality of the event stream content.
Root Cause
The root cause sits in engine/flags.go:39-46, where the platform-dependent host default is set to an empty string for non-Windows platforms. When the code calls utils.JoinHostPort("", ":5553"), the resulting bind address resolves to :5553. In Go's net package, an empty host in a listen address binds to 0.0.0.0, which accepts connections on every available interface. Windows builds were unaffected because they used a different platform default that scoped the listener to localhost.
Attack Vector
An attacker positioned on the same local network as a host running Algernon can connect directly to TCP port 5553. The SSE endpoint streams events without performing origin checks or authentication on the underlying socket. Public Wi-Fi networks, shared cloud subnets, and untrusted office LANs are typical scenarios where this exposure becomes relevant. See the GitHub Security Advisory for further technical detail.
Detection Methods for CVE-2026-46430
Indicators of Compromise
- Algernon process listening on 0.0.0.0:5553 instead of 127.0.0.1:5553 on Linux or macOS hosts
- Unexpected inbound TCP connections to port 5553 from non-loopback source addresses
- SSE event stream sessions originating from external or peer hosts in network flow logs
Detection Strategies
- Run ss -tlnp | grep 5553 or lsof -iTCP:5553 -sTCP:LISTEN to confirm the SSE server bind address on Linux and macOS hosts
- Compare installed Algernon binary version against 1.17.7 using algernon --version
- Audit configuration management inventories for Algernon versions earlier than 1.17.7
Monitoring Recommendations
- Alert on listening sockets on port 5553 bound to non-loopback addresses across managed endpoints
- Capture network flow telemetry for inbound traffic to port 5553 from non-local sources
- Track outbound SSE traffic patterns from Algernon hosts to identify unexpected subscribers
How to Mitigate CVE-2026-46430
Immediate Actions Required
- Upgrade Algernon to version 1.17.7 or later on all Linux and macOS hosts
- Restrict access to TCP port 5553 using host firewall rules until patching is complete
- Inventory all systems running Algernon and verify the SSE listener bind address
Patch Information
The maintainers fixed this issue in Algernon 1.17.7 by correcting the platform-dependent host default so the SSE event server binds to the loopback interface on Linux and macOS. Review the GitHub Security Advisory GHSA-gj84-924c-48fx for release notes and patch references.
Workarounds
- Block inbound connections to TCP port 5553 from non-loopback sources using iptables, nftables, or pf until the upgrade is applied
- Run Algernon inside a network namespace or container that restricts external interface exposure
- Place affected hosts behind a network segmentation boundary that limits adjacent network reachability
# Example iptables rule restricting SSE port to loopback only
sudo iptables -A INPUT -p tcp --dport 5553 ! -i lo -j DROP
# Verify the SSE server bind address after upgrade
ss -tlnp | grep 5553
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
