Description
Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.
Published: 2026-04-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to insecure environment via crafted module
Action: Apply Patch
AI Analysis

Impact

Luanti 5 releases before 5.15.2 can allow a malicious module to intercept requests to an insecure environment or the HTTP API. The module runs with privileged access and can read or alter data destined for the insecure environment, thereby breaching confidentiality, integrity, or availability. The flaw is labeled CWE-670, indicating improper restriction of identities in privileged functions.

Affected Systems

The vulnerability affects Luanti version 5.x releases older than 5.15.2. Administrators should verify the installed version and upgrade to the patched release to eliminate the risk.

Risk and Exploitability

The CVSS score is 8.1, denoting high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attacker must supply a malicious module, implying local or administrative access to the Luanti instance. Once the module is loaded, it can intercept requests destined for the insecure environment or the HTTP API, giving the attacker unauthorized read or modification capabilities. The likely attack vector is crafting and deploying a module that Luanti loads, which requires access to the server’s module directory. Based on the description, it is inferred that an attacker needs the ability to place a module file in a directory that Luanti scans for plugins.

Generated by OpenCVE AI on April 17, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Luanti 5.15.2 or later to receive the patch.
  • Review the module configuration and ensure only authorized modules are listed under secure.trusted_mods or secure.http_mods.
  • Remove or disable any untrusted or unnecessary modules that could exploit the insecure environment.
  • Verify that future releases are installed promptly to maintain protection against similar vulnerabilities.

Generated by OpenCVE AI on April 17, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6217-1 luanti security update
History

Fri, 17 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Crafted Module Enables Unauthorized Access to Insecure Environment in Luanti

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Luanti
Luanti luanti
Vendors & Products Luanti
Luanti luanti

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Luanti Luanti
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T12:31:57.082Z

Reserved: 2026-04-16T00:54:45.558Z

Link: CVE-2026-40960

cve-icon Vulnrichment

Updated: 2026-04-16T12:22:21.432Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T01:16:11.770

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T05:00:05Z

Weaknesses