CVE-2026-46431 MEDIUM

CVE-2026-46431: Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Vendor Xyproto
Product algernon
Weakness CWE-942
Published May 26, 2026
Last update May 26, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 26, 2026 Record updated