CVE-2026-40959
Lua Sandbox Escape in Luanti 5 via Crafted Mod
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| luanti | luanti | to 5.15.2 (exc) |
| luanti | luanti | From 5.0.0 (inc) |
| luanti | luanti | 5.15.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40959 is a critical vulnerability in the Luanti software (formerly Minetest) versions before 5.15.2 when LuaJIT is used. It allows a malicious mod to escape the Lua sandbox environment designed to restrict mod capabilities.
This sandbox escape enables arbitrary code execution and full filesystem access on the user's device, meaning that a crafted mod can break out of its restricted environment and perform unauthorized actions.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system and gain full access to your filesystem.
- It affects both server-side mods (including async and mapgen) and client-side mod (CSM) environments.
- This could lead to unauthorized data access, modification, or deletion, potentially compromising the integrity and confidentiality of your system.
- The vulnerability requires LuaJIT to be used, so systems not using LuaJIT are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if your system is vulnerable, first check the version of Luanti installed by running the command `luanti --version`. Versions before 5.15.2 are affected.
Since the vulnerability involves LuaJIT usage, verifying if LuaJIT is in use is important. The version check command helps confirm this.
There are no specific network detection commands or signatures provided for identifying exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Luanti to version 5.15.2 or later, where the vulnerability is patched.
As a workaround for existing release versions without recompilation, you can edit the file `builtin/init.lua` to add the line `getfenv = nil` at the end. This disables the `getfenv` function, which helps prevent the sandbox escape.
Note that disabling `getfenv` may break mods that depend on this function, even though it is not inherently unsafe.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a malicious mod to escape the Lua sandbox and execute arbitrary code with full filesystem access on the user's device.
Such unauthorized code execution and potential data access could lead to breaches of confidentiality, integrity, and availability of data.
This could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the provided information does not explicitly mention compliance impacts or regulatory considerations.