CVE-2026-40960
Published: 16 April 2026
Summary
CVE-2026-40960 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the Luanti 5 vulnerability via timely flaw remediation directly prevents crafted mods from intercepting requests to insecure environments.
Controlling and monitoring user-installed software prevents the deployment of crafted mods that exploit the mod interception mechanism.
Establishing secure configuration settings for secure.trusted_mods and secure.http_mods avoids the prerequisite condition enabling crafted mod interception.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables bypassing secure.trusted_mods/http_mods controls via crafted mod interception to gain unintended access to elevated insecure environment/HTTP API, directly facilitating local privilege escalation and abuse of elevation control mechanisms.
NVD Description
Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also…
more
receive access to it.
Deeper analysisAI
CVE-2026-40960 is a vulnerability in Luanti 5 versions prior to 5.15.2 that sometimes allows unintended access to an insecure environment. Specifically, if at least one mod is listed in secure.trusted_mods or secure.http_mods, a crafted mod can intercept requests for the insecure environment or HTTP API and gain access to it. The issue is classified under CWE-670 (Always-Incorrect Control Flow Implementation) with a CVSS v3.1 base score of 8.1 (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
An attacker with local access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By crafting a malicious mod that leverages the presence of trusted mods in the specified secure lists, the attacker can intercept and access the insecure environment or HTTP API, potentially leading to high-impact confidentiality, integrity, and availability violations in a changed scope.
Mitigation involves upgrading to Luanti 5.15.2 or later, as detailed in the GitHub security advisory (GHSA-22c4-238c-m5j4) and the associated fix commits (0faf529bc4b89e70a275ed1162047815118f2413 and 827fd4cf7f989482b2dad381fa4afd642ea73e8c), which address the mod interception mechanism.
Details
- CWE(s)