CVE-2026-34444
Published: 06 April 2026
Summary
CVE-2026-34444 is a critical-severity Improper Access Control (CWE-284) vulnerability in Scoder Lupa. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific flaw in Lupa's attribute_filter, preventing exploitation leading to arbitrary code execution.
Implements a reference monitor to consistently enforce access controls on Lua attributes, directly countering bypasses via getattr and setattr.
Mandates enforcement of approved authorizations for attribute access in the CPython-Lua integration, addressing the inconsistent application of restrictions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated arbitrary code execution via bypass in Python-Lua library directly enables exploitation of public-facing apps (T1190) and Python interpreter abuse (T1059.006).
NVD Description
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and…
more
eventually achieve arbitrary code execution.
Deeper analysisAI
CVE-2026-34444 is a critical vulnerability in Lupa versions 2.6 and earlier, a library that integrates Lua or LuaJIT2 runtimes into CPython. The issue arises because the attribute_filter mechanism is not consistently applied when attributes are accessed via built-in functions like getattr and setattr. This inconsistency allows attackers to bypass the intended restrictions, ultimately enabling arbitrary code execution. The vulnerability is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key), and it received a maximum CVSS score of 10.0 under CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
The attack scenario involves remote, unauthenticated attackers who require no privileges or user interaction and face low complexity to exploit the flaw over the network. By leveraging the inconsistent attribute filtering through getattr and setattr, attackers can evade Lua runtime restrictions within the CPython environment, achieving arbitrary code execution. This grants high-impact compromise of confidentiality, integrity, and availability, with a change in scope that amplifies the threat.
Mitigation details are outlined in the GitHub security advisory at https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm, published on 2026-04-06. Security practitioners should consult this reference for patching guidance and workarounds specific to affected Lupa deployments.
Details
- CWE(s)