CVE-2026-48126 Overview
CVE-2026-48126 is a path traversal vulnerability [CWE-22] in Algernon, a self-contained pure-Go web server. The flaw exists in versions prior to 1.17.8 when the server is started with the --domain or --letsencrypt flag. The request handler resolves the served directory by joining the configured --dir value with the client-supplied Host header using filepath.Join without validation. Attackers can supply a Host: .. header to walk above the document root, exposing arbitrary files, full directory listings, and triggering server-side Lua execution if any .lua file is reachable. The maintainer fixed the issue in version 1.17.8.
Critical Impact
Unauthenticated remote attackers can read arbitrary files and execute server-side Lua code by manipulating the HTTP Host header.
Affected Products
- Algernon web server versions prior to 1.17.8
- Deployments launched with the --domain flag
- Deployments launched with the --letsencrypt flag, which silently enables --domain
Discovery Timeline
- 2026-05-26 - CVE-2026-48126 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-48126
Vulnerability Analysis
The vulnerability resides in the Algernon HTTP request handler. When --domain is active, the handler constructs the on-disk path for each request by concatenating the configured document root with the value of the incoming Host header. Because filepath.Join collapses .. segments but does not constrain the result to the original root, a Host: .. header resolves to the parent directory of --dir. Subsequent file resolution then operates on that parent directory.
The consequences extend beyond information disclosure. An attacker who reaches a directory containing .lua files triggers Algernon's server-side Lua execution path. This converts a traversal primitive into arbitrary server-side code execution within the Lua sandbox exposed by the server.
Root Cause
The root cause is missing validation of attacker-controlled input used in filesystem path construction. The Host header is treated as a trusted directory name and joined with the document root at engine/flags.go logic paths without checking whether the resulting path remains inside the configured root.
Attack Vector
Exploitation requires only network reachability to a vulnerable Algernon instance running with --domain or --letsencrypt. The attacker sends a standard HTTP request with a crafted Host: .. header. No authentication or user interaction is required. The flaw is exploited remotely over the network with low attack complexity.
Detection Methods for CVE-2026-48126
Indicators of Compromise
- HTTP requests containing Host: .. or other Host header values that resolve to parent directories.
- Access log entries showing successful responses for paths that map outside the configured --dir root.
- Unexpected execution of .lua scripts located outside the intended document root.
Detection Strategies
- Inspect web server and reverse proxy access logs for malformed or traversal-style Host header values.
- Deploy web application firewall rules that reject Host headers containing .., path separators, or non-hostname characters.
- Alert on Algernon process spawning unexpected Lua execution outside the intended content directory.
Monitoring Recommendations
- Forward Algernon access logs and process telemetry to a centralized analytics platform for correlation.
- Track file read events on directories that are siblings or parents of the configured --dir.
- Monitor outbound connections originating from the Algernon process for signs of post-exploitation activity.
How to Mitigate CVE-2026-48126
Immediate Actions Required
- Upgrade Algernon to version 1.17.8 or later on all hosts.
- If upgrading is not immediately possible, stop running Algernon with --domain or --letsencrypt until patched.
- Audit the parent directory of every Algernon --dir path for sensitive files and any .lua scripts.
Patch Information
The maintainer fixed CVE-2026-48126 in Algernon 1.17.8. The patch adds validation so that the resolved path cannot escape the configured document root when the Host header is incorporated into file resolution. Details are documented in the GitHub Security Advisory GHSA-jc3j-x6pg-4hmv.
Workarounds
- Place Algernon behind a reverse proxy that normalizes and validates the Host header before forwarding requests.
- Configure firewall or proxy rules to drop requests whose Host header contains .. or filesystem separators.
- Ensure the parent directory of --dir contains no sensitive files and no .lua scripts until the patch is applied.
# Example reverse proxy rule rejecting traversal Host headers (nginx)
if ($http_host ~* "\.\.") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
