CVE-2026-46430 is a medium-severity security vulnerability in github.com/xyproto/algernon (go), affecting versions <= 1.17.6. It is fixed in 1.17.7.
Summary The SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553", a Go http.Server.Addr of ":5553" listens on every interface. On Windows the same code chose "localhost", binding loopback only. The result was a platform split where the OS Algernon's dev workflow is most often used on (Linux/macOS) got the network-exposed default, and only Windows users got the loopback-safe one. A LAN peer with no developer interaction could connect to <dev-laptop-ip>:5553 and read the file-change stream. This advisory covers the bind-address default in isolation. The fix is independent of authentication (#2a) and CORS (#2b), switching the default to loopback can be done without touching either. Details Root cause, platform-dependent host default in handleFlags Result tabulated: | Platform | host | eventAddr after JoinHostPort | Effective bind | |---|---|---|---| | Linux | "" | ":5553" | 0.0.0.0:5553 (all interfaces) | | macOS | "" | ":5553" | 0.0.0.0:5553 (all interfaces) | | Windows | "localhost" | "localhost:5553" | 127.0.0.1:5553 (loopback) | The same host value also governs the main web server bind, so the platform split affects both ports. The web-server bind on Linux/macOS is a separate (defensible) design decision, a server intended to be reachable; the SSE port is not such a service and inherited the same default by accident. Why this is an independent finding The fix is a single line: change the default host value, or change the eventAddr default specifically, to "localhost" regardless of platform. No change to authentication or CORS is required to close the network-reach half of the original bundled advisory. A LAN peer can no longer connect, the listener is unreachable from another host, even if the SSE handler still has no authentication and still returns Allow-Origin: *. PoC (against 1.17.6 on Linux/macOS) No interaction from the developer is required. The peer needs network reach and nothing else. Impact Confidentiality: medium. LAN-bounded continuous information disclosure of filenames and edit timing. Integrity: none. Availability: none directly. The CVSS vector uses AV:A (adjacent network) to model the LAN-only reach. The vector for a misconfigured deployment behind a NAT-less or routed network would shift to AV:N and rise to 5.3. Suggestions to fix Primary fix, pick localhost as the SSE default on every platform. Or, more surgically: An operator who genuinely wants LAN-reachable SSE can pass --eventserver 0.0.0.0:5553 explicitly and accept the consequences. Stronger fix, eliminate the second listener entirely. Mount the SSE handler on the main mux at /sse. The bind address is then whatever the main server uses; there is no second listener and therefore no second bind-address default to get wrong. Live verification Audit-host bind check (Windows 10): Confirms the Windows default is localhost. The Linux/macOS bind to 0.0.0.0:5553 is documented in the code path above; it was not exercised on the audit machine because the audit host was Windows. A maintainer reproducing on a Linux host would see 0.0.0.0:5553 LISTENING from ss -tlnp.
CVE-2026-46430 has a CVSS score of 4.3 (Medium). The vector is reachable from an adjacent network, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.17.7). Upgrading removes the vulnerable code path.
go
github.com/xyproto/algernon (<= 1.17.6)github.com/xyproto/algernon → 1.17.7 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46430 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46430 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46430 in your environment →Upgrade github.com/xyproto/algernon to 1.17.7 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46430 is a medium-severity security vulnerability in github.com/xyproto/algernon (go), affecting versions <= 1.17.6. It is fixed in 1.17.7.
CVE-2026-46430 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/xyproto/algernon (go) versions <= 1.17.6 is affected.
Yes. CVE-2026-46430 is fixed in 1.17.7. Upgrade to this version or later.
Whether CVE-2026-46430 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/xyproto/algernon to 1.17.7 or later.