CVE-2026-40960 Overview
CVE-2026-40960 is an authorization bypass vulnerability in Luanti (formerly known as Minetest) versions prior to 5.15.2. The vulnerability allows unintended access to an insecure environment when at least one mod is configured in secure.trusted_mods or secure.http_mods. A crafted malicious mod can intercept requests for the insecure environment or HTTP API, gaining unauthorized access to these privileged interfaces.
Critical Impact
Malicious mods can bypass security boundaries to access the insecure environment and HTTP API, potentially enabling arbitrary code execution or unauthorized network communications within Luanti installations.
Affected Products
- Luanti versions prior to 5.15.2
- Installations with at least one mod configured in secure.trusted_mods
- Installations with at least one mod configured in secure.http_mods
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-40960 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-40960
Vulnerability Analysis
This vulnerability stems from CWE-670 (Always-Incorrect Control Flow Implementation), indicating a fundamental flaw in how Luanti handles mod security boundaries. The insecure environment and HTTP API in Luanti are designed to be restricted resources, accessible only to explicitly trusted mods. However, due to improper control flow in the request handling mechanism, a crafted mod can position itself to intercept these privileged requests.
When a legitimate trusted mod attempts to access the insecure environment or HTTP API, the vulnerability allows a malicious mod to hijack this request. The attacking mod not only intercepts the request but also receives the privileged access that was intended for the trusted mod. This breaks the security model that Luanti relies upon to isolate potentially dangerous functionality from untrusted code.
The local attack vector with high attack complexity indicates that exploitation requires the attacker to have already introduced a malicious mod into the Luanti installation, though no privileges are required for the exploit to succeed.
Root Cause
The root cause lies in improper control flow implementation (CWE-670) within Luanti's mod security architecture. The mechanism responsible for routing requests to the insecure environment and HTTP API fails to properly validate and authenticate which mod is making the request. This allows a malicious mod to intercept and inherit the security context of a legitimately trusted mod, bypassing the intended access controls.
Attack Vector
The attack requires local access to install a malicious mod on a Luanti instance that has at least one mod configured as trusted. The attack unfolds as follows:
- The attacker creates a malicious mod designed to intercept insecure environment or HTTP API requests
- The malicious mod is installed alongside at least one legitimately trusted mod
- When the trusted mod attempts to access privileged resources, the malicious mod intercepts the request
- The malicious mod gains the same privileged access that was intended for the trusted mod
- The attacker can now execute code in the insecure environment or access the HTTP API without authorization
The vulnerability allows the malicious mod to achieve scope change, potentially affecting resources beyond its normal security boundary, which can result in high impacts to confidentiality, integrity, and availability.
Detection Methods for CVE-2026-40960
Indicators of Compromise
- Unexpected mod activity accessing the insecure environment or HTTP API
- Mods exhibiting behavior inconsistent with their stated functionality
- Unusual network connections originating from Luanti processes
- Log entries showing multiple mods accessing privileged resources in quick succession
Detection Strategies
- Monitor Luanti configuration files for unauthorized additions to secure.trusted_mods or secure.http_mods
- Audit installed mods against known-good checksums or signatures
- Implement file integrity monitoring on the Luanti mods directory
- Review Luanti logs for suspicious patterns of insecure environment or HTTP API access
Monitoring Recommendations
- Enable verbose logging for Luanti mod activities when running in sensitive environments
- Establish baseline behavior for trusted mods to detect anomalous access patterns
- Monitor network traffic from Luanti processes for unexpected HTTP API usage
- Implement periodic mod directory audits to detect unauthorized mod installations
How to Mitigate CVE-2026-40960
Immediate Actions Required
- Upgrade Luanti to version 5.15.2 or later immediately
- Review all installed mods and remove any untrusted or unnecessary mods
- Audit the secure.trusted_mods and secure.http_mods configuration settings
- Consider temporarily disabling mod access to the insecure environment and HTTP API until patched
Patch Information
The Luanti development team has addressed this vulnerability in version 5.15.2. Two commits have been released to fix the issue:
For complete details on the vulnerability and fix, refer to the GitHub Security Advisory GHSA-22c4-238c-m5j4.
Workarounds
- If upgrading is not immediately possible, remove all mods from secure.trusted_mods and secure.http_mods to prevent exploitation
- Only install mods from verified and trusted sources
- Run Luanti in isolated environments with limited network access
- Regularly audit and minimize the number of mods with elevated privileges
# Configuration example - Remove trusted mod entries temporarily
# Edit your minetest.conf or luanti.conf file:
# Comment out or remove these lines until patched:
# secure.trusted_mods =
# secure.http_mods =
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
