Description
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).
Published: 2026-04-23
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Luanti, an open-source voxel game creation platform, contains a flaw that allows a malicious mod to escape the sandboxed Lua environment. The vulnerability enables arbitrary code execution and full file‑system access on the host. It is rooted in sandbox escape (CWE‑749) and executable code injection (CWE‑94).

Affected Systems

The affected vendor is luanti‑org and the product is Luanti. All releases from version 5.0.0 up to, but not including, 5.15.2 are impacted when LuaJIT is used, on both server‑side and client‑side environments.

Risk and Exploitability

The CVSS score of 9 indicates a high severity flaw, yet the EPSS score is less than 1 percent and it is not listed in the CISA KEV catalog, suggesting a low current exploitation probability. Attackers would need to deploy a malicious mod—typically by uploading or installing it in a trusted directory—while LuaJIT is active. Once patched, the risk is eliminated for all users of the affected versions.

Generated by OpenCVE AI on April 28, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Luanti to version 5.15.2 or newer
  • If upgrading is not possible, edit builtin/init.lua to add the line getfenv = nil at the end
  • Remove or disable untrusted mods from the server or client

Generated by OpenCVE AI on April 28, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Minetest
Minetest minetest
CPEs cpe:2.3:a:minetest:minetest:*:*:*:*:*:*:*:*
Vendors & Products Minetest
Minetest minetest
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Luanti
Luanti luanti
Vendors & Products Luanti
Luanti luanti

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-749
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 23 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).
Title Luanti has a mod security sandbox escape
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Luanti Luanti
Minetest Minetest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:38:39.113Z

Reserved: 2026-04-18T02:51:52.973Z

Link: CVE-2026-41196

cve-icon Vulnrichment

Updated: 2026-04-23T14:38:32.465Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T02:16:17.900

Modified: 2026-05-14T16:35:18.110

Link: CVE-2026-41196

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-23T00:28:56Z

Links: CVE-2026-41196 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses