Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40960 is a security vulnerability in the luanti project versions before 5.15.2 that allows unintended access to an insecure environment via the HTTP API. This happens when at least one mod is listed in the configuration settings secure.trusted_mods or secure.http_mods. Under these conditions, a crafted malicious mod can intercept requests intended for the insecure environment or HTTP API and gain unauthorized access to it.

The malicious mod does not need to be initially enabled because it can modify the world.mt file to enable any other mod, facilitating exploitation. The vulnerability arises from insufficient checks in the function ScriptApiSecurity::getCurrentModName, which could be bypassed using coroutine-based exploits to steal return values or override functions.

The issue was fixed by adding checks to detect coroutine usage and ensuring proper stack inspection to prevent indirect or coroutine-based calls that could bypass security.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to the insecure environment or HTTP API of the luanti application. A malicious mod can intercept and manipulate requests, potentially gaining high levels of control or access.

• Confidentiality impact: The attacker can access sensitive data in the insecure environment.
• Integrity impact: The attacker can override functions or modify behavior by enabling other mods.
• Availability impact: The attacker might disrupt normal operations by exploiting the insecure environment.

Overall, the vulnerability has a high severity rating with a CVSS base score of 8.1, indicating significant risk if exploited.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves malicious mods intercepting requests to the insecure environment or HTTP API by exploiting configuration settings like secure.trusted_mods or secure.http_mods.

Detection can focus on identifying if any mods are listed in these configuration settings and monitoring for unexpected modifications to the world.mt file, which malicious mods can alter to enable other mods.

Since the vulnerability is related to Lua coroutine exploitation in the function ScriptApiSecurity::getCurrentModName, detection might involve checking for unusual coroutine activity or unauthorized function overrides in the mod environment.

No specific detection commands are provided in the resources, but you can start by inspecting the configuration files for secure.trusted_mods and secure.http_mods entries and monitoring file changes to world.mt.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation is to clear the secure.trusted_mods and secure.http_mods settings in your configuration to disable access to these features for all mods.

Additionally, upgrading Luanti to version 5.15.2 or later will apply the official fix that prevents malicious mods from exploiting coroutine behavior and stack frame checks to bypass security.

Monitoring and restricting modifications to the world.mt file can also help prevent malicious mods from enabling unauthorized mods.

Useful 0 Not Useful 0