CVE-2026-24130
LDAP Injection in Moonraker Web Server Enables Information Disclosure
Publication date: 2026-01-22
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arksine | moonraker | to 0.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Moonraker versions 0.9.3 and below when the "ldap" component is enabled. It allows LDAP search filter injection via the login endpoint. An attacker can use the 401 error response message to determine if an LDAP search was successful, enabling brute force methods to discover LDAP entries such as user IDs and user attributes.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to enumerate LDAP entries on the server, potentially exposing sensitive information like user IDs and attributes. This could lead to unauthorized information disclosure and facilitate further attacks against the system or its users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Moonraker to version 0.10.0 or later, as this version contains the fix for the LDAP search filter injection vulnerability.