https://feed.craftedsignal.io/tags/luanti/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 16 Apr 2026 01:16:11 +0000https://feed.craftedsignal.io/briefs/2026-04-luanti-sandbox-escape/Thu, 16 Apr 2026 01:16:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-luanti-sandbox-escape/Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod, potentially leading to arbitrary code execution.CVE-2026-40959 describes a critical vulnerability in Luanti 5, specifically in versions prior to 5.15.2, when used with LuaJIT. The vulnerability allows a malicious actor to escape the Lua sandbox environment by exploiting a crafted “mod.” This escape could lead to unauthorized access and control over the system, potentially allowing for arbitrary code execution outside of the intended sandbox. The vulnerability was reported to MITRE and assigned a CVSS v3.1 score of 9.3, indicating a critical severity. This vulnerability poses a significant threat to systems relying on Luanti for sandboxed Lua execution.

Attack Chain

1. Attacker crafts a malicious Lua “mod” specifically designed to exploit the sandbox escape vulnerability in Luanti.
2. The malicious mod leverages weaknesses in the LuaJIT implementation within Luanti to bypass sandbox restrictions.
3. The crafted mod is loaded into a vulnerable Luanti 5 instance.
4. Upon execution of the malicious mod, the attacker gains the ability to execute arbitrary Lua code outside the intended sandbox.
5. The attacker can then utilize this escaped context to interact with the underlying operating system.
6. Using OS-level access, the attacker escalates privileges further.
7. The attacker installs persistent backdoors or other malicious software.
8. Finally, the attacker achieves complete system compromise, exfiltrates sensitive data, or causes other damage.

Impact

Successful exploitation of CVE-2026-40959 could lead to a complete compromise of systems utilizing vulnerable versions of Luanti 5 with LuaJIT. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. Given the critical CVSS score of 9.3, the potential impact is high, especially in environments where Luanti is used to sandbox untrusted Lua code. The number of potential victims depends on the adoption rate of Luanti 5 and the prevalence of LuaJIT usage within those installations.

Recommendation

• Upgrade Luanti to version 5.15.2 or later to patch CVE-2026-40959.
• Monitor for the loading of unsigned or untrusted Lua mods within Luanti environments (see process_creation rule below).
• Inspect Lua mods for suspicious code patterns indicative of sandbox escape attempts (develop custom rules based on the specific LuaJIT weaknesses exploited).

]]>criticaladvisorysandbox-escapeluantiluajitcve-2026-40959https://feed.craftedsignal.io/briefs/2026-04-luanti-access/Thu, 16 Apr 2026 01:16:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-luanti-access/Luanti 5 before 5.15.2 allows unintended access to an insecure environment if a crafted mod intercepts requests when secure mods are enabled, potentially leading to unauthorized access and control.Luanti 5, a software package (details not provided in source), prior to version 5.15.2, suffers from an improper access control vulnerability (CVE-2026-40960). This flaw can be exploited when at least one mod is configured as either secure.trusted_mods or secure.http_mods. Under these conditions, a specially crafted malicious mod can intercept requests intended for the insecure environment or HTTP API, effectively bypassing intended security controls. The vulnerability allows the malicious mod to gain unauthorized access to sensitive resources, potentially leading to data breaches or system compromise. Organizations using affected versions of Luanti 5 are urged to upgrade to version 5.15.2 or implement mitigating controls to prevent exploitation.

Attack Chain

1. An attacker identifies a Luanti 5 instance running a version prior to 5.15.2 with at least one mod configured as secure.trusted_mods or secure.http_mods.
2. The attacker crafts a malicious mod designed to intercept HTTP requests.
3. The attacker deploys the crafted mod to the Luanti 5 environment.
4. The malicious mod intercepts requests directed towards the insecure environment or HTTP API.
5. Due to the vulnerability, the malicious mod gains unauthorized access to the targeted environment or API.
6. The attacker leverages the gained access to perform unauthorized actions, such as reading sensitive data or manipulating system configurations.
7. The attacker exfiltrates sensitive data or establishes persistent access for future malicious activities.

Impact

Successful exploitation of CVE-2026-40960 can lead to complete compromise of the insecure environment or HTTP API within Luanti 5. This could result in unauthorized access to sensitive data, modification of system configurations, or complete system takeover. The severity of the impact depends on the specific functionality and data exposed by the insecure environment, but could include data breaches, financial loss, or reputational damage.

Recommendation

• Upgrade Luanti 5 to version 5.15.2 or later to patch CVE-2026-40960.
• If upgrading is not immediately feasible, review the configuration of secure.trusted_mods and secure.http_mods and remove any untrusted or unnecessary mods.
• Monitor Luanti 5 webserver logs for suspicious HTTP requests originating from unusual or newly deployed mods using the provided Sigma rule.
• Implement strict access control policies for deploying and managing Luanti 5 mods to prevent unauthorized installation of malicious modules.

]]>highadvisorycve-2026-40960luantiaccess-control