CVE-2026-43982
Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multipart file upload in Algernon before 1.17.6 writes outside web root via path traversal in savein() / uploadedFileSaveIn().
Vulnerability
uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with a caller-supplied directory without validating the resulting path. A directory string such as ../../../tmp resolves to /tmp, which is outside the intended web root. This affects Algernon versions prior to 1.17.6 [2].
Exploitation
An attacker must be able to reach the file upload endpoint and supply a crafted directory argument via the Lua savein() function. No authentication is required; the vulnerability is pre-authentication and remotely exploitable [1]. The attacker provides a path containing ../ sequences to traverse upward from the intended upload directory.
Impact
Successful exploitation allows arbitrary file write outside the web root. If Algernon runs as root (not recommended), files can be written to /tmp or nearly any location on the system. With a restrictive systemd service file, the impact is limited to the user's home directory, e.g., /home/algernon [2].
Mitigation
Fixed in version 1.17.6, released prior to the advisory [2]. Workarounds include using a stricter systemd service file and adding extra validation in Lua upload handlers, but upgrading is strongly recommended [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing boundary check after filepath.Join() in uploadedFileSaveIn() allows directory traversal to write files outside the web root."
Attack vector
An attacker can upload a file and supply a directory traversal payload (e.g., `../../../tmp`) as the save directory. Because `uploadedFileSaveIn()` uses `filepath.Join()` without verifying the result stays within the web root, the file is written to an arbitrary location on the filesystem [ref_id=2]. If Algernon runs as root, the attacker can write to nearly anywhere on the system; with a restrictive systemd service file, the damage is limited to directories like `/home/algernon` [ref_id=2]. No authentication is required, and the attack is remotely exploitable [ref_id=1].
Affected code
The vulnerable function is `uploadedFileSaveIn()` in `lua/upload/upload.go` [ref_id=2]. It calls `filepath.Join()` with the caller-supplied directory but performs no boundary check after joining, allowing a path like `../../../tmp` to resolve to `/tmp` without validation [ref_id=2].
What the fix does
The patch in version 1.17.6 adds a boundary check after `filepath.Join()` to ensure the resolved path stays within the intended directory [ref_id=2]. The advisory recommends upgrading to 1.17.6; workarounds include using a stricter systemd service file or adding extra checks in connection with file uploads, but upgrading is the recommended fix [ref_id=2].
Preconditions
- configAlgernon must be configured to accept file uploads (e.g., via Lua handlers that call savein()).
- authNo authentication is required; the attack is pre-authentication and remotely exploitable.
- networkThe attacker must be able to send an HTTP request with a file upload and control the save directory path.
- inputThe attacker supplies a directory traversal string (e.g., ../../../tmp) as the save directory.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.