Skip to main content

Lupa CVE-2026-34444

| EUVDEUVD-2026-19346 HIGH
Improper Access Control (CWE-284)
2026-04-06 GitHub_M GHSA-69v7-xpr6-6gjm
7.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2026-19346
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
CVE Published
Apr 06, 2026 - 15:30 nvd
HIGH 7.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on lupa (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.6.

DescriptionCVE.org

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

AnalysisAI

Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).

Technical ContextAI

Lupa (scoder/lupa, CPE 2.3:a:scoder:lupa) is a Python library that embeds Lua or LuaJIT2 runtimes into CPython, enabling bidirectional interaction between Python and Lua code. The library implements attribute_filter mechanisms to sandbox Lua code and prevent unauthorized access to Python object attributes. This vulnerability (CWE-284: Improper Access Control) stems from inconsistent enforcement of these filters when attributes are accessed indirectly through Python's built-in getattr() and setattr() functions rather than direct attribute access syntax. Attackers can leverage Lua code to invoke these built-ins with crafted attribute names, bypassing the filter logic that only protects direct attribute lookups. Since Lua code can call Python functions exposed by Lupa, this creates a path to access restricted Python internals, module imports, or subprocess execution capabilities that should be blocked by the sandbox.

RemediationAI

Upgrade Lupa to the patched version specified in the vendor security advisory at https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm. The fix ensures attribute_filter enforcement applies consistently to all attribute access methods including getattr, setattr, delattr, and hasattr built-ins. Organizations unable to upgrade immediately should implement defense-in-depth controls including: disable or heavily restrict Lupa usage in untrusted contexts, run Python processes using Lupa under restricted system accounts with minimal privileges, implement application-layer input validation to reject Lua code containing getattr/setattr invocations, and deploy runtime application self-protection or syscall filtering to detect abnormal subprocess creation or network activity from Lupa-hosting processes. Review application logs for suspicious Lua script patterns attempting to access __builtins__, __import__, os, subprocess, or other sensitive Python modules through indirect attribute access.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-34444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy