{"id":"GHSA-3jqf-v4mv-747g","summary":"Moonraker affected by LDAP search filter injection","details":"### Impact\n\nInstances of Moonraker configured with the `ldap` component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint.   The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes.\n\n### Patches\n\nUsers should upgrade to Moonraker 0.10.0 which patches this vulnerability.\n\n### Workarounds\n\nAdmins can set the `max_login_attempts` option in the `[authorization]` section to a reasonable value.    Any IP attempting to exploit this vulnerability will be locked out after it has reached the specified number of consecutive failed login attempts.  This condition is cleared after a Moonraker restart.   Note that if an attacker knows a valid user password they can bypass this protection by successfully logging in.\n\nThe most secure workaround for users unable to upgrade is to remove the `ldap` section from `moonraker.conf` and rely on the built in user authentication.","aliases":["CVE-2026-24130"],"modified":"2026-02-03T03:08:57.082525Z","published":"2026-01-22T18:06:54Z","database_specific":{"github_reviewed":true,"severity":"LOW","github_reviewed_at":"2026-01-22T18:06:54Z","nvd_published_at":"2026-01-22T23:15:58Z","cwe_ids":["CWE-90"]},"references":[{"type":"WEB","url":"https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24130"},{"type":"WEB","url":"https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42"},{"type":"PACKAGE","url":"https://github.com/Arksine/moonraker"}],"affected":[{"package":{"name":"moonraker","ecosystem":"PyPI","purl":"pkg:pypi/moonraker"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.10.0"}]}],"versions":["0.8.0","0.9.0","0.9.1","0.9.2","0.9.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3jqf-v4mv-747g/GHSA-3jqf-v4mv-747g.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"}]}