Description
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
Published: 2026-04-06
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Lupa library, which embeds Lua or LuaJIT2 runtimes in CPython, causes the attribute_filter protection to be inconsistently applied when attributes are accessed through built‑in functions such as getattr and setattr. The result is that an attacker who can supply code that uses these operations can bypass the intended restrictions and ultimately execute arbitrary code on the host system.

Affected Systems

The vulnerability affects the scoder:Lupa product. Versions 2.6 and earlier are impacted; higher versions have fixed the attribute_filter enforcement issue.

Risk and Exploitability

The CVSS score is 7.9, indicating a high severity. EPSS data is not available and the vulnerability is not in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Based on the description, it is inferred that the attack vector is remote code execution via Python scripts that utilize Lupa. An attacker would need to supply a Lua script that calls Python built‑ins, a scenario that is feasible in many environments that allow user‑supplied Lua or Python code. The impact is system‑wide, as arbitrary code can be run with the privileges of the process that loaded Lupa.

Generated by OpenCVE AI on April 7, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lupa to a version newer than 2.6 to ensure attribute_filter enforcement is correct.
  • If upgrading is not immediately possible, avoid executing untrusted Lua code that relies on Python attribute access functions such as getattr or setattr, or replace these calls with safer wrappers that explicitly check attribute_filter.

Generated by OpenCVE AI on April 7, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69v7-xpr6-6gjm Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
History

Fri, 01 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:scoder:lupa:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Scoder
Scoder lupa
Weaknesses CWE-914
Vendors & Products Scoder
Scoder lupa
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
Title Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Scoder Lupa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:37:15.583Z

Reserved: 2026-03-27T18:18:14.894Z

Link: CVE-2026-34444

cve-icon Vulnrichment

Updated: 2026-04-06T18:37:12.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:35.717

Modified: 2026-05-01T19:54:12.063

Link: CVE-2026-34444

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:30:30Z

Links: CVE-2026-34444 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T06:54:59Z

Weaknesses