PatchSiren cyber security CVE debrief
CVE-2026-46430 xyproto CVE debrief
CVE-2026-46430 is a medium-severity vulnerability in Algernon, a self-contained pure-Go web server. Prior to version 1.17.7, the SSE (Server-Sent Events) event server binds to 0.0.0.0:5553 by default on Linux and macOS systems due to a platform-dependent host default in engine/flags.go. When the host is set to an empty string on non-Windows platforms, utils.JoinHostPort(“”, “:5553”) resolves to “:5553”, which Go interprets as binding to all available network interfaces. This exposes the SSE endpoint to the local network, potentially allowing unauthorized adjacent network attackers to access event streams without authentication. The vulnerability was published on 2026-05-26 and modified later the same day. It is not listed in CISA KEV. The issue is resolved in Algernon 1.17.7.
- Vendor
- xyproto
- Product
- algernon
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running Algernon web servers on Linux or macOS in multi-host or shared network environments should prioritize this update. Security teams responsible for network-hardening of Go-based services, as well as developers deploying Algernon in containerized or cloud environments where 0.0.0.0 binding may inadvertently expose services, should review their configurations.
Technical summary
In Algernon versions prior to 1.17.7, the SSE event server defaults to binding on 0.0.0.0:5553 on Linux and macOS. This occurs because engine/flags.go sets host = “” for non-Windows platforms, and utils.JoinHostPort(“”, “:5553”) produces “:5553”, which Go’s net package interprets as binding to all interfaces. The exposure allows adjacent network attackers to connect to the SSE endpoint without authentication, potentially accessing sensitive event data. The vulnerability does not affect Windows builds, which use a different default. The fix in 1.17.7 corrects the platform-dependent host default to prevent unintended wide-area network exposure.
Defensive priority
medium
Recommended defensive actions
- Upgrade Algernon to version 1.17.7 or later to remediate the default binding behavior.
- If immediate patching is not feasible, configure Algernon to explicitly bind the SSE server to localhost (127.0.0.1) or a specific internal interface rather than relying on default settings.
- Review network segmentation to ensure that Algernon instances are not exposed to untrusted adjacent networks where unauthorized SSE access could occur.
- Monitor for unexpected connections to port 5553 on Algernon hosts as a potential indicator of exposure or reconnaissance activity.
Evidence notes
The vulnerability description and fix version are drawn from the official CVE record and NVD entry. The root cause is confirmed in the GitHub Security Advisory (GHSA-gj84-924c-48fx), which identifies the specific code location (engine/flags.go:39-46) and the behavior of utils.JoinHostPort with an empty host string. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) supports the adjacent network attack vector and low confidentiality impact assessment.
Official resources
-
CVE-2026-46430 CVE record
CVE.org
-
CVE-2026-46430 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26T17:16:50.943Z