CVE-2026-40960 PUBLISHED

Assigner: mitre
Reserved: 16.04.2026 Published: 16.04.2026 Updated: 16.04.2026

Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Local	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Luanti
Product	Luanti
Versions	Default: unaffected affected from 5.0.0 to 5.15.2 (excl.)

References

https://github.com/luanti-org/luanti/security/advisories/GHSA-22c4-238c-m5j4
https://github.com/luanti-org/luanti/commit/0faf529bc4b89e70a275ed1162047815118f2413
https://github.com/luanti-org/luanti/commit/827fd4cf7f989482b2dad381fa4afd642ea73e8c

Problem Types

CWE-670 Always-Incorrect Control Flow Implementation CWE