DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24130: Moonraker LDAP Injection: Printing Secrets Instead of Benchies

#security #cve #cybersecurity

Moonraker LDAP Injection: Printing Secrets Instead of Benchies

Vulnerability ID: CVE-2026-24130
CVSS Score: 2.7
Published: 2026-01-22

A classic LDAP injection vulnerability in the Moonraker API server allows unauthenticated attackers to query the backend directory service via the login endpoint. By crafting malicious usernames, attackers can trigger a blind injection oracle to enumerate users and extract attribute data.

TL;DR

Moonraker versions 0.9.3 and below fail to sanitize usernames before passing them to an LDAP query. This allows attackers to inject LDAP filters. By observing subtle differences in HTTP 401 error responses, an attacker can map out the directory structure and harvest valid usernames. Fixed in version 0.10.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-90 (LDAP Injection)
  • CVSS v4.0: 2.7 (Low)
  • Attack Vector: Network (API)
  • Privileges Required: None
  • User Interaction: None
  • Impact: Confidentiality (Low)
  • Patch Status: Fixed in 0.10.0

Affected Systems

  • Moonraker API Server (LDAP Component)
  • Moonraker: < 0.10.0 (Fixed in: 0.10.0)

Code Analysis

Commit: 74c5d8e

ldap: resolve filter injection vulnerability

@@ -1,5 +1,6 @@
+from ldap3.utils.conv import escape_filter_chars
...
-    ldfilt = f"(&(objectClass=Person)({attr_name}={username}))"
+    escaped_user = escape_filter_chars(username)
+    ldfilt = f"(&(objectClass=Person)({attr_name}={escaped_user}))"
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical: Blind Boolean Enumeration via Error Messages

Mitigation Strategies

  • Input Sanitization: Always escape user input before using it in LDAP filters.
  • Error Handling: Return generic error messages for all authentication failures to prevent side-channel leaks.
  • Least Privilege: Ensure the LDAP bind user used by Moonraker has read-only access to the absolute minimum attributes required.

Remediation Steps:

  1. Update Moonraker to version 0.10.0 or later.
  2. If updating is not immediately possible, disable the [ldap] component in moonraker.conf.
  3. Configure max_login_attempts in moonraker.conf to slow down brute-force enumeration.

References

Read the full report for CVE-2026-24130 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)