CVE-2026-24130

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24130

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24130.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24130

Aliases

GHSA-3jqf-v4mv-747g

Published

2026-01-22T22:53:34.769Z

Modified

2026-03-01T07:34:21.916366Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Moonraker with LDAP Enabled Allows Malicious Search Filter Injection

Details

Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24130.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-209",
        "CWE-90"
    ]
}

References

Affected packages

Git / github.com/arksine/moonraker

Affected ranges

Type: GIT
Repo: https://github.com/arksine/moonraker
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

16e530eb663218faa6ccd97ffb0583f1880e2983

Affected versions

v.*

v.08

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.3.0

v0.3.1

v0.4.1

v0.5.0

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.9.1

v0.9.2

v0.9.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24130.json"