CVE-2026-24130
Moonraker affected by LDAP search filter injection
描述
### Impact Instances of Moonraker configured with the `ldap` component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. ### Patches Users should upgrade to Moonraker 0.10.0 which patches this vulnerability. ### Workarounds Admins can set the `max_login_attempts` option in the `[authorization]` section to a reasonable value. Any IP attempting to exploit this vulnerability will be locked out after it has reached the specified number of consecutive failed login attempts. This condition is cleared after a Moonraker restart. Note that if an attacker knows a valid user password they can bypass this protection by successfully logging in. The most secure workaround for users unable to upgrade is to remove the `ldap` section from `moonraker.conf` and rely on the built in user authentication.
如何修補 CVE-2026-24130
要修補 CVE-2026-24130,請將受影響套件升級到下列已修補版本。
- —升級至 0.10.0 或更新版本
CVE-2026-24130 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.10.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |