Access Control Vulnerability in Luanti 5 by Luanti-org
CVE-2026-40960

8.1HIGH

Key Information:

Vendor: Luanti
Status: Luanti
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40960?

Luanti 5, prior to version 5.15.2, presents an access control vulnerability that could lead to unintended access to insecure environments. If a mod is classified under secure.trusted_mods or secure.http_mods, attackers exploiting a crafted mod could redirect requests intended for the insecure environment or HTTP API, gaining unauthorized access. Proper configuration and regular updates are essential to mitigate this risk.

Affected Version(s)

Luanti 5.0.0 < 5.15.2

References

https://github.com/luanti-org/luanti/security/advisories/...

https://github.com/luanti-org/luanti/commit/0faf529bc4b89...

https://github.com/luanti-org/luanti/commit/827fd4cf7f989...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40960 Data

JSON