PatchSiren cyber security CVE debrief
CVE-2026-46431 xyproto CVE debrief
CVE-2026-46431 is a cross-origin information disclosure vulnerability in Algernon, a self-contained pure-Go web server. Prior to version 1.17.7, the SSE (Server-Sent Events) event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard '*', regardless of the caller's Origin header. Because EventSource connections do not perform CORS preflight requests and do not include cookies, this wildcard CORS policy allowed any third-party webpage visited by a developer to open a cross-origin EventSource connection to the SSE port and read the live filename stream via JavaScript. This represents a CWE-942 (Permissive Cross-domain Policy with Untrusted Domains) weakness. The vulnerability was published on 2026-05-26 and carries a CVSS 3.1 score of 4.3 (Medium severity). It was remediated in Algernon version 1.17.7.
- Vendor
- xyproto
- Product
- algernon
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Developers using Algernon for local development or production hosting, particularly those exposing SSE endpoints; security teams monitoring for CORS misconfigurations in Go-based web applications; and organizations with developers who may browse untrusted websites while running local Algernon instances.
Technical summary
The Algernon web server's SSE event server implementation prior to 1.17.7 responded with Access-Control-Allow-Origin: * to all requests, ignoring the actual Origin header value. Since EventSource does not trigger CORS preflight and operates without cookies, this permissive policy enabled arbitrary websites to establish cross-origin connections and exfiltrate the live filename stream. The fix in 1.17.7 implements proper origin validation for CORS headers on SSE endpoints.
Defensive priority
medium
Recommended defensive actions
- Upgrade Algernon to version 1.17.7 or later to remediate the hardcoded CORS wildcard vulnerability
- If immediate patching is not feasible, restrict network access to the SSE event server port to trusted hosts only
- Review application logs for unauthorized cross-origin EventSource connections from unexpected origins
- Implement additional network segmentation to limit exposure of development environments hosting Algernon instances
- Monitor for suspicious JavaScript execution patterns that may indicate attempted exploitation of SSE endpoints
Evidence notes
The CVE description and NVD record confirm the hardcoded wildcard CORS header in SSE event server functionality prior to version 1.17.7. The GitHub Security Advisory provides authoritative vendor confirmation of the fix version and technical details.
Official resources
-
CVE-2026-46431 CVE record
CVE.org
-
CVE-2026-46431 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed via GitHub Security Advisory GHSA-hw27-4v2q-5qff and subsequently published in the NVD on 2026-05-26. The vendor has released a patched version.