Description
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
Published: 2026-04-06
Score: 7.9 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Lupa integrates the Lua or LuaJIT2 runtime into CPython, enabling Lua scripts to run inside a Python process. The vulnerability stems from incomplete application of the attribute_filter— a mechanism intended to restrict access to privileged internal members. When CPython processes built‑in operations such as getattr and setattr, the filter is not consistently enforced, allowing an attacker to read or modify restricted attributes. This bypass ultimately permits execution of arbitrary code within the host Python interpreter, exposing the entire process to attack.

Affected Systems

The flaw affects the scoder:lupa package, specifically installations that rely on version 2.6 or older. Any Python application that imports or utilizes these earlier Lupa releases, especially when executing untrusted code that employs built‑in attribute access functions, is at risk.

Risk and Exploitability

The CVSS base score of 7.9 classifies this as a high‑severity remote code execution flaw. No public EPSS score is available and the vulnerability is not currently listed in the CISA KEV catalog, implying limited known exploitation. Exploitation requires an attacker to influence attribute access within a CPython process that has loaded the vulnerable Lupa extension, such as by executing or importing untrusted Python modules that invoke getattr or setattr on Lua objects. Successful exploitation would grant full control over the Python process and, by extension, the host system.

Generated by OpenCVE AI on April 6, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the GitHub security advisory for scoder:lupa and apply a newer release that corrects the attribute_filter enforcement if one is available.
  • Verify that the updated package correctly blocks privileged attribute access through unit tests or debugging tools.
  • If a patched release is not yet released, limit the use of Lupa in untrusted or externally supplied code, or remove Lupa from the application entirely until a fix is provided.
  • Continuously monitor vendor advisories and security bulletins to apply patches as soon as they are released.

Generated by OpenCVE AI on April 6, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Scoder
Scoder lupa
Weaknesses CWE-914
Vendors & Products Scoder
Scoder lupa
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
Title Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Scoder Lupa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:37:15.583Z

Reserved: 2026-03-27T18:18:14.894Z

Link: CVE-2026-34444

cve-icon Vulnrichment

Updated: 2026-04-06T18:37:12.215Z

cve-icon NVD

Status : Received

Published: 2026-04-06T16:16:35.717

Modified: 2026-04-06T16:16:35.717

Link: CVE-2026-34444

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:30:30Z

Links: CVE-2026-34444 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:15Z

Weaknesses