External risk intelligence

Luanti sandbox escape could allow attackers to take control of your systems.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-40959

An external attacker could exploit Luanti by loading a malicious mod, allowing them to execute unauthorized code and gain administrative control of the server. This matters because it could lead to a complete system compromise.

2Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-40959

Luanti is a game engine. This vulnerability is triggered by the manual installation or execution of a crafted, untrusted mod. While game servers can be internet-facing, the exploit requires the attacker to successfully introduce a malicious mod into the server environment, which is not a standard remote network attack vector and typically requires specific administrative action or configuration.

Horizon Alert

Summary of the vulnerability and why it matters

A security flaw in Luanti, when using LuaJIT, allows bypassing sandbox restrictions. This is significant because it could permit unauthorized code execution within the application.

Escapes code restrictions.
Potential for unauthorized code execution.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a user or administrator into loading a crafted Lua mod into a Luanti 5 environment that uses LuaJIT. This could allow them to escape the sandbox and execute arbitrary code on the system running Luanti.

Requires local access.
Targeted by loading untrusted mod.
Uses Lua sandbox escape.

Live Threat

Current exploitation, exposure, and threat context

Attackers may be hesitant to weaponize this CVE because exploitation requires a local presence or the successful injection of a crafted mod into the Lua sandbox environment, making it a less direct attack vector than many remote code execution vulnerabilities. The need for specific user interaction or administrative action to introduce the malicious mod limits its immediate appeal for widespread automated exploitation.

Requires mod injection or local access.
No public exploit code reported.
Vendor notes a deferred status.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Luanti versions to 5.15.2 or later to address the critical Lua sandbox escape vulnerability. If patching is not immediately feasible, isolate affected services to prevent the introduction of malicious mods and implement strict validation for all mod installations.

Update Luanti to 5.15.2 or newer.
Isolate services; validate all mod uploads.
Monitor for Lua sandbox escape attempts.

Frequently asked questions

What is Luanti and what is it used for?

Luanti is a game engine, and it's used for creating and running games. This vulnerability is found in Luanti version 5 and earlier when LuaJIT is also in use.

What is the weakness in CVE-2026-40959?

CVE-2026-40959 describes a Lua sandbox escape vulnerability. This means that code running in a restricted Lua environment within Luanti could break out and execute commands outside of its intended limitations.

How can an attacker trigger this vulnerability?

An attacker would need to introduce a specially crafted Lua mod into a Luanti 5 environment that is using LuaJIT. It is not triggered by simply running Luanti or by network activity alone.

Who should be concerned about CVE-2026-40959?

Organizations running Luanti 5 with LuaJIT should be concerned. The Halo Surface Signal indicates this is an internal threat, meaning an attacker would likely need some level of access or the ability to introduce a malicious mod to the system.

What is the first step to respond to this threat?

The immediate first step is to update Luanti to version 5.15.2 or a later release. If an update isn't possible right away, consider isolating the affected Luanti services to prevent the loading of unverified mods.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.