CVE-2026-52792
Summary
Algernon selects its file handler from filepath.Ext() (engine/handlers.go:134), which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives its raw source instead of executed output, leaking embedded secrets such as database credentials and the SetCookieSecret value.
Linux and macOS hosts are unaffected.
Preconditions
- Algernon runs on a Windows host (NTFS filesystem).
- The instance serves at least one server-side script (.lua, .tl, .po2, .amber, .frm).
- The script sits on a public path, or no auth backend is configured (--nodb, --simple, or default no-DB).
- HTTP/HTTPS reachability to the server.
Details
// engine/handlers.go:133
lowercaseFilename := strings.ToLower(filename)
ext := filepath.Ext(lowercaseFilename) // "index.lua::$data" -> ".lua::$data", not ".lua" [offending]
...
if ac.dispatchRenderer(w, req, filename, ext) { // ext unrecognised, returns false
return
}
switch ext {
case ".lua", ".tl": // execute the script -- never reached for the equivalent forms
// ... RunLua ...
default:
// control reaches the raw-file branch below
}
// engine/handlers.go:452
f, err := os.Open(filename) // NTFS resolves "index.lua::$DATA" to index.lua's data stream
...
// engine/handlers.go:479
if dataBlock, err := ac.ReadAndLogErrors(w, filename, ext); err == nil {
dataBlock.ToClient(w, req, filename, ac.ClientCanGzip(req), gzipThreshold) // raw source to client
}
The request path reaches FilePage through URL2filename (utils/files.go:24), which rejects only ..; a :, a trailing ., and a trailing space all pass through into filename. filepath.Ext does an exact suffix match, so .lua::$data, ., and .lua are not equal to .lua or .tl. The renderer registry and the execute case are both skipped and control falls to th
⚡ Watch CVE-2026-52792
Get an email if CVE-2026-52792 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-52792)