External risk intelligence

Luanti could allow an internal attacker to gain full access to system files.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-41196

Luanti allows an internal attacker to execute unauthorized code on the host device by bypassing security restrictions. This vulnerability could lead to full system compromise, resulting in the exposure or modification of sensitive files and data.

1Halo Surface Signal

Code Injection

Minetest

5.0.0 to before 5.15.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-41196

This vulnerability affects a game-creation platform. Exploitation requires significant user interaction, such as manually installing untrusted third-party mods or connecting to a specific malicious game server. The platform is not an enterprise internet-facing service or critical infrastructure, and it is primarily used in client-side or community-hosted environments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Luanti (formerly Minetest) game-creation platform allows a malicious mod to break out of its secure environment. This could let an attacker run arbitrary code and access your entire file system. It's important to be aware of this if you use or develop for this platform, especially with older versions.

  • Can lead to full system compromise.
  • Affects server or client mods.
  • Exploitable with LuaJIT.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by crafting a malicious mod for the Luanti game platform. When this mod is loaded and executed, especially on the server-side or client-side in specific environments, it can break out of the game's sandbox. This allows the attacker to run arbitrary code on the user's machine with full filesystem access.

  • Requires LuaJIT.
  • Attacker provides malicious mod.
  • User must load mod.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Luanti (formerly Minetest) allows a malicious mod to execute arbitrary code on a user's device, providing full filesystem access. While the impact is severe, exploitation typically requires user interaction like installing untrusted mods or joining a compromised server. The specific dependency on LuaJIT might also limit its immediate broad applicability.

  • Exploitation requires user action.
  • Not an internet-facing service.
  • Specific LuaJIT dependency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Luanti (Minetest) installations to version 5.15.2 or later to address the critical remote code execution vulnerability. If immediate patching is not feasible, apply the `getfenv = nil` workaround to `builtin/init.lua` to mitigate the risk, understanding this may break certain mods.

  • Update to version 5.15.2 or later.
  • Apply `getfenv = nil` workaround.
  • Monitor for unexpected mod behavior.

Frequently asked questions

What is the nature of the vulnerability affecting Luanti (formerly Minetest), and what is its impact?

A vulnerability in Luanti (formerly Minetest) versions 5.0.0 through 5.15.1 allows a malicious mod to escape the sandboxed Lua environment. This enables an attacker to execute arbitrary code and gain full filesystem access on the user's device, leading to potential system compromise.

How can this Luanti vulnerability be triggered, and what are the conditions for exploitation?

Exploitation of this vulnerability requires a malicious mod to be loaded and executed within the Luanti platform. It is specifically exploitable when using LuaJIT and applies to both server-side and client-side environments, including async and mapgen contexts.

What is the relevance of this Luanti vulnerability, considering its potential attack vectors and user interaction requirements?

While the vulnerability allows for full filesystem access, exploitation is not considered a high immediate threat due to the required user interaction (e.g., installing untrusted mods or joining a malicious server) and the specific dependency on LuaJIT. It is not an enterprise internet-facing service.

What is the practical response to mitigate the Luanti code execution vulnerability?

To address this vulnerability, users should update Luanti (formerly Minetest) to version 5.15.2 or later. An alternative mitigation, if immediate updating is not possible, is to manually edit `builtin/init.lua` and add the line `getfenv = nil` at the end, though this may affect mods that rely on that function.

What are the specific software components and versions impacted by the Luanti vulnerability?

The vulnerability affects Luanti (formerly Minetest) starting from version 5.0.0 up to, but not including, version 5.15.2. The exploitability is conditional on the use of LuaJIT.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified