CVE-2026-24130
Moonraker affected by LDAP search filter injection
Description
### Impact Instances of Moonraker configured with the `ldap` component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. ### Patches Users should upgrade to Moonraker 0.10.0 which patches this vulnerability. ### Workarounds Admins can set the `max_login_attempts` option in the `[authorization]` section to a reasonable value. Any IP attempting to exploit this vulnerability will be locked out after it has reached the specified number of consecutive failed login attempts. This condition is cleared after a Moonraker restart. Note that if an attacker knows a valid user password they can bypass this protection by successfully logging in. The most secure workaround for users unable to upgrade is to remove the `ldap` section from `moonraker.conf` and rely on the built in user authentication.
How to fix CVE-2026-24130
To remediate CVE-2026-24130, upgrade the affected package to a fixed version below.
- —upgrade to 0.10.0 or later
Is CVE-2026-24130 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |