{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40960", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T00:54:45.558Z", "datePublished": "2026-04-16T00:54:45.935Z", "dateUpdated": "2026-04-16T12:31:57.082Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Luanti", "vendor": "Luanti", "versions": [{"lessThan": "5.15.2", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T01:20:26.427Z"}, "references": [{"url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-22c4-238c-m5j4"}, {"url": "https://github.com/luanti-org/luanti/commit/0faf529bc4b89e70a275ed1162047815118f2413"}, {"url": "https://github.com/luanti-org/luanti/commit/827fd4cf7f989482b2dad381fa4afd642ea73e8c"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:22:19.771370Z", "id": "CVE-2026-40960", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:31:57.082Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T12:22:19.771370Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:22:21.432Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Luanti", "product": "Luanti", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.15.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-22c4-238c-m5j4"}, {"url": "https://github.com/luanti-org/luanti/commit/0faf529bc4b89e70a275ed1162047815118f2413"}, {"url": "https://github.com/luanti-org/luanti/commit/827fd4cf7f989482b2dad381fa4afd642ea73e8c"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T01:20:26.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40960", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:31:57.082Z", "dateReserved": "2026-04-16T00:54:45.558Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T00:54:45.935Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it."}], "id": "CVE-2026-40960", "lastModified": "2026-04-16T01:16:11.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T01:16:11.770", "references": [{"source": "cve@mitre.org", "url": "https://github.com/luanti-org/luanti/commit/0faf529bc4b89e70a275ed1162047815118f2413"}, {"source": "cve@mitre.org", "url": "https://github.com/luanti-org/luanti/commit/827fd4cf7f989482b2dad381fa4afd642ea73e8c"}, {"source": "cve@mitre.org", "url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-22c4-238c-m5j4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.15.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Luanti", "source": "cna", "vendor": "Luanti"}, "product": "luanti", "vendor": "luanti"}], "analysis": {"en": {"generated_at": "2026-04-17T04:55:26.570272+00:00", "value": {"mitigation_remediation": ["Upgrade to Luanti 5.15.2 or later to receive the patch.", "Review the module configuration and ensure only authorized modules are listed under secure.trusted_mods or secure.http_mods.", "Remove or disable any untrusted or unnecessary modules that could exploit the insecure environment.", "Verify that future releases are installed promptly to maintain protection against similar vulnerabilities."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to insecure environment via crafted module"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Luanti version 5.x releases older than 5.15.2. Administrators should verify the installed version and upgrade to the patched release to eliminate the risk.", "description_and_impact": "Luanti 5 releases before 5.15.2 can allow a malicious module to intercept requests to an insecure environment or the HTTP API. The module runs with privileged access and can read or alter data destined for the insecure environment, thereby breaching confidentiality, integrity, or availability. The flaw is labeled CWE-670, indicating improper restriction of identities in privileged functions.", "risk_and_exploitability": "The CVSS score is 8.1, denoting high severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attacker must supply a malicious module, implying local or administrative access to the Luanti instance. Once the module is loaded, it can intercept requests destined for the insecure environment or the HTTP API, giving the attacker unauthorized read or modification capabilities. The likely attack vector is crafting and deploying a module that Luanti loads, which requires access to the server\u2019s module directory. Based on the description, it is inferred that an attacker needs the ability to place a module file in a directory that Luanti scans for plugins."}}}}, "created": "2026-04-16T09:12:06.350661+00:00", "title": "Crafted Module Enables Unauthorized Access to Insecure Environment in Luanti", "updated": "2026-04-17T05:00:05.512473+00:00", "vendors": ["luanti", "luanti$PRODUCT$luanti"]}