CVE 9 CRITICAL

Algernon: handler.lua discovery walks parent directories above the server root_CVE-2026-45721

May 26, 2026 invoker category_cve

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.

AI Analysis

Pre-authenticated remote code execution vulnerability due to handler.lua discovery walking parent directories above the server root

Basic Information

ID CVE-2026-45721

Source GitHub_M

Published May 26, 2026 at 16:34

Affected Product

Vendor xyproto

Product algernon

Version < 1.17.7

Affected Versions xyproto algernon < 1.17.7

CWE Classification

CWE-20 CWE-426 CWE-552

AI Assessment

AI Score 9 / 10

AI Severity Critical

Vendor xyproto

Product algernon

Version < 1.17.7

References

github.com /xyproto/algernon/security/advisories/GHSA-xwcr-wm99-g9jc

{
    "lastseen": "",
    "description": "Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories \u2014 past the configured server root \u2014 looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed \u2014 including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication \u2014 the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.",
    "published": "2026-05-26T16:34:49.985Z",
    "modified": "2026-05-26T16:34:49.985Z",
    "type": "cve",
    "title": "Algernon: handler.lua discovery walks parent directories above the server root",
    "source": "GitHub_M",
    "references": "https://github.com/xyproto/algernon/security/advisories/GHSA-xwcr-wm99-g9jc",
    "id": "CVE-2026-45721",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-426",
        "CWE-552"
    ],
    "cvelist": null,
    "sourceData": "xyproto algernon < 1.17.7",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "algernon",
    "version": "< 1.17.7",
    "vendor": "xyproto",
    "ai_description": "Pre-authenticated remote code execution vulnerability due to handler.lua discovery walking parent directories above the server root",
    "ai_severity": "Critical",
    "ai_vendor": "xyproto",
    "ai_product": "algernon",
    "ai_version": "< 1.17.7",
    "ai_score": 9
}

💭 Join the Security Discussion ❌ Cancel Reply