CVE Catalog

CVE-2026-41196

Critical
Published: Translated: NVD NIST

Summary

Luanti (formerly Minetest) has a vulnerability that allows malicious mods to escape the sandboxed Lua environment and execute arbitrary code, gaining full filesystem access on the user's device. This affects both server-side mods and client-side environments.

Risk Assessment

Organizations may face serious security threats, including unauthorized access to data and systems, potentially leading to loss of confidentiality and integrity of information.

Recommendation

It is recommended to upgrade to version 5.15.2, which contains a patch. Alternatively, the issue can be patched manually by editing the `builtin/init.lua` file and adding the line `getfenv = nil` at the end, keeping in mind that this may affect the functionality of some mods.

Original NVD description (English source)

Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS