Severity by source
AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionCVE.org
Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.
AnalysisAI
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions: (1) at least one mod must be explicitly listed in the server's secure.trusted_mods or secure.http_mods configuration settings, which creates the privileged environment that can be intercepted, and (2) the attacker must have local file system write access to install a malicious mod into the Luanti mods directory before server startup or during mod reload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk depends heavily on deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access to a Luanti multiplayer server creates a malicious mod with carefully chosen initialization hooks and naming to execute during the mod loading phase. When the server administrator has configured legitimate mods in secure.trusted_mods to enable HTTP API access for content updates, the malicious mod intercepts the environment assignment. … |
| Remediation | Upgrade to Luanti 5.15.2 or later, which contains fixes in commits 0faf529bc4b89e70a275ed1162047815118f2413 and 827fd4cf7f989482b2dad381fa4afd642ea73e8c that correct the mod environment initialization logic. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Luanti 5 installations and document current versions; identify systems running versions prior to 5.15.2. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23151