CVE-2026-40960
Unauthorized Access via Insecure Environment in Luanti 5 Before
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| luanti | luanti | to 5.15.2 (exc) |
| luanti | luanti | 5.15.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40960 is a security vulnerability in the luanti project versions before 5.15.2 that allows unintended access to an insecure environment via the HTTP API. This happens when at least one mod is listed in the configuration settings secure.trusted_mods or secure.http_mods. Under these conditions, a crafted malicious mod can intercept requests intended for the insecure environment or HTTP API and gain unauthorized access to it.
The malicious mod does not need to be initially enabled because it can modify the world.mt file to enable any other mod, facilitating exploitation. The vulnerability arises from insufficient checks in the function ScriptApiSecurity::getCurrentModName, which could be bypassed using coroutine-based exploits to steal return values or override functions.
The issue was fixed by adding checks to detect coroutine usage and ensuring proper stack inspection to prevent indirect or coroutine-based calls that could bypass security.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to the insecure environment or HTTP API of the luanti application. A malicious mod can intercept and manipulate requests, potentially gaining high levels of control or access.
- Confidentiality impact: The attacker can access sensitive data in the insecure environment.
- Integrity impact: The attacker can override functions or modify behavior by enabling other mods.
- Availability impact: The attacker might disrupt normal operations by exploiting the insecure environment.
Overall, the vulnerability has a high severity rating with a CVSS base score of 8.1, indicating significant risk if exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious mods intercepting requests to the insecure environment or HTTP API by exploiting configuration settings like secure.trusted_mods or secure.http_mods.
Detection can focus on identifying if any mods are listed in these configuration settings and monitoring for unexpected modifications to the world.mt file, which malicious mods can alter to enable other mods.
Since the vulnerability is related to Lua coroutine exploitation in the function ScriptApiSecurity::getCurrentModName, detection might involve checking for unusual coroutine activity or unauthorized function overrides in the mod environment.
No specific detection commands are provided in the resources, but you can start by inspecting the configuration files for secure.trusted_mods and secure.http_mods entries and monitoring file changes to world.mt.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to clear the secure.trusted_mods and secure.http_mods settings in your configuration to disable access to these features for all mods.
Additionally, upgrading Luanti to version 5.15.2 or later will apply the official fix that prevents malicious mods from exploiting coroutine behavior and stack frame checks to bypass security.
Monitoring and restricting modifications to the world.mt file can also help prevent malicious mods from enabling unauthorized mods.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.