CVE-2026-46431: Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

May 20, 2026 (updated June 8, 2026)

The SSE event server’s Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller’s Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. Combined with the lack of authentication (advisory #2a), no further trickery is required — any tab the developer opens has script-level read access to the stream.

This advisory covers the CORS configuration in isolation. The fix is independent of authentication and bind-address fixes: the wildcard could be replaced with a same-origin echo without touching either.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-46431 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →