Luanti 5 Improper Access Control Vulnerability (CVE-2026-40960)

Luanti 5, a software package (details not provided in source), prior to version 5.15.2, suffers from an improper access control vulnerability (CVE-2026-40960). This flaw can be exploited when at least one mod is configured as either secure.trusted_mods or secure.http_mods. Under these conditions, a specially crafted malicious mod can intercept requests intended for the insecure environment or HTTP API, effectively bypassing intended security controls. The vulnerability allows the malicious mod to gain unauthorized access to sensitive resources, potentially leading to data breaches or system compromise. Organizations using affected versions of Luanti 5 are urged to upgrade to version 5.15.2 or implement mitigating controls to prevent exploitation.

Attack Chain

1. An attacker identifies a Luanti 5 instance running a version prior to 5.15.2 with at least one mod configured as secure.trusted_mods or secure.http_mods.
2. The attacker crafts a malicious mod designed to intercept HTTP requests.
3. The attacker deploys the crafted mod to the Luanti 5 environment.
4. The malicious mod intercepts requests directed towards the insecure environment or HTTP API.
5. Due to the vulnerability, the malicious mod gains unauthorized access to the targeted environment or API.
6. The attacker leverages the gained access to perform unauthorized actions, such as reading sensitive data or manipulating system configurations.
7. The attacker exfiltrates sensitive data or establishes persistent access for future malicious activities.

Impact

Successful exploitation of CVE-2026-40960 can lead to complete compromise of the insecure environment or HTTP API within Luanti 5. This could result in unauthorized access to sensitive data, modification of system configurations, or complete system takeover. The severity of the impact depends on the specific functionality and data exposed by the insecure environment, but could include data breaches, financial loss, or reputational damage.

Recommendation

• Upgrade Luanti 5 to version 5.15.2 or later to patch CVE-2026-40960.
• If upgrading is not immediately feasible, review the configuration of secure.trusted_mods and secure.http_mods and remove any untrusted or unnecessary mods.
• Monitor Luanti 5 webserver logs for suspicious HTTP requests originating from unusual or newly deployed mods using the provided Sigma rule.
• Implement strict access control policies for deploying and managing Luanti 5 mods to prevent unauthorized installation of malicious modules.