CVE-2026-46431

CVE-2026-46431 is a medium-severity vulnerability with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-942.

Key facts

Description

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.

Frequently asked questions

What is CVE-2026-46431?
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
How severe is CVE-2026-46431?
CVE-2026-46431 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-46431 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-46431?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-46431 have an EU (EUVD) identifier?
Yes. CVE-2026-46431 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31870.
When was CVE-2026-46431 published?
CVE-2026-46431 was published on 2026-05-26 and last updated on 2026-06-17.

References

Other CWE-942 vulnerabilities

Browse all CWE-942 vulnerabilities →