CVE-2026-24130 Overview
CVE-2026-24130 is an LDAP Injection vulnerability affecting Moonraker, a Python web server that provides API access to Klipper 3D printing firmware. Instances of Moonraker version 0.9.3 and below that are configured with the ldap component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. Attackers can exploit the 401 error response message to determine whether an LDAP search was successful, enabling brute force enumeration of LDAP entries such as user IDs and user attributes.
Critical Impact
Attackers can enumerate sensitive LDAP directory information including user IDs and attributes through blind LDAP injection attacks against the authentication endpoint.
Affected Products
- Moonraker versions 0.9.3 and below with LDAP component enabled
- Klipper 3D printing deployments using vulnerable Moonraker instances
- Systems with LDAP authentication configured for Moonraker API access
Discovery Timeline
- 2026-01-22 - CVE CVE-2026-24130 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-24130
Vulnerability Analysis
This LDAP Injection vulnerability (CWE-90) exists in the authentication flow of Moonraker when the LDAP component is enabled. The vulnerability allows unauthenticated attackers to inject malicious LDAP search filter syntax through the login endpoint. By analyzing the HTTP 401 error responses, an attacker can infer whether their injected LDAP queries returned results, effectively creating a blind LDAP injection scenario.
The attack requires network access to the Moonraker web server and does not require any authentication or user interaction. While the vulnerability allows for information disclosure, it does not directly enable modification of LDAP data or denial of service conditions.
Root Cause
The root cause of this vulnerability is improper neutralization of special elements used in LDAP queries (CWE-90). User-supplied input in the login endpoint is incorporated into LDAP search filters without adequate sanitization or encoding. This allows attackers to manipulate the structure of LDAP queries by injecting metacharacters such as *, (, ), and logical operators.
Attack Vector
The attack is conducted over the network by sending crafted authentication requests to the Moonraker login endpoint. An attacker submits username values containing LDAP filter injection payloads. The server's 401 error response behavior differs based on whether the injected LDAP query matches entries in the directory, allowing attackers to enumerate valid usernames, discover user attributes, and map the LDAP directory structure through iterative brute force techniques.
The attack does not require prior authentication or any privileges on the target system. Exploitation involves systematically testing LDAP filter expressions and observing response patterns to infer information about the LDAP directory contents.
Detection Methods for CVE-2026-24130
Indicators of Compromise
- Unusual patterns of failed authentication attempts containing LDAP metacharacters (*, (, ), |, &)
- High volume of login requests from single IP addresses with varying username payloads
- Authentication log entries showing usernames with LDAP filter syntax patterns
- Sequential enumeration patterns in login attempts suggesting automated scanning
Detection Strategies
- Monitor authentication logs for usernames containing LDAP special characters and filter expressions
- Implement rate limiting on the login endpoint to slow enumeration attacks
- Deploy web application firewall rules to detect LDAP injection patterns in request parameters
- Alert on anomalous authentication failure rates from individual source addresses
Monitoring Recommendations
- Enable verbose logging on the Moonraker server to capture full authentication request details
- Correlate failed login attempts with LDAP server query logs to identify injection patterns
- Establish baseline authentication metrics and alert on deviations indicating enumeration activity
- Review access logs for the /login endpoint for suspicious request patterns
How to Mitigate CVE-2026-24130
Immediate Actions Required
- Upgrade Moonraker to version 0.10.0 or later which contains the security fix
- Review authentication logs for evidence of exploitation attempts
- Consider temporarily disabling the LDAP component if upgrade cannot be performed immediately
- Implement network-level access controls to restrict exposure of the Moonraker API
Patch Information
The vulnerability has been fixed in Moonraker version 0.10.0. The fix involves proper sanitization of user input before incorporating it into LDAP search filters. Details of the security fix can be found in the GitHub commit and the GitHub Security Advisory GHSA-3jqf-v4mv-747g.
Workarounds
- Disable the LDAP component in Moonraker configuration if not required for operations
- Restrict network access to the Moonraker API using firewall rules to trusted IP ranges only
- Implement a reverse proxy with web application firewall capabilities to filter malicious requests
- Use alternative authentication mechanisms that do not rely on the vulnerable LDAP integration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
