Moonraker with LDAP Enabled Allows Malicious Search Filter Injection
Description
Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moonrakerPyPI | < 0.10.0 | 0.10.0 |
Affected products
1Patches
174c5d8e44c4aldap: resolve filter injection vulnerability
1 file changed · +6 −4
moonraker/components/ldap.py+6 −4 modified@@ -10,6 +10,7 @@ import logging import ldap3 from ldap3.core.exceptions import LDAPExceptionError +from ldap3.utils.conv import escape_filter_chars # Annotation imports from typing import ( @@ -57,14 +58,14 @@ def __init__(self, config: ConfigHelper) -> None: ) self.lock = asyncio.Lock() - async def authenticate_ldap_user(self, username, password) -> None: + async def authenticate_ldap_user(self, username: str, password: str) -> None: eventloop = self.server.get_event_loop() async with self.lock: await eventloop.run_in_thread( self._perform_ldap_auth, username, password ) - def _perform_ldap_auth(self, username, password) -> None: + def _perform_ldap_auth(self, username: str, password: str) -> None: server = ldap3.Server( self.ldap_host, self.ldap_port, use_ssl=self.ldap_secure, connect_timeout=10. @@ -75,9 +76,10 @@ def _perform_ldap_auth(self, username, password) -> None: "auto_bind": ldap3.AUTO_BIND_NO_TLS, } attr_name = "sAMAccountName" if self.active_directory else "uid" - ldfilt = f"(&(objectClass=Person)({attr_name}={username}))" + escaped_user = escape_filter_chars(username) + ldfilt = f"(&(objectClass=Person)({attr_name}={escaped_user}))" if self.user_filter: - ldfilt = self.user_filter.replace("USERNAME", username) + ldfilt = self.user_filter.replace("USERNAME", escaped_user) try: with ldap3.Connection(server, **conn_args) as conn: ret = conn.search(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3jqf-v4mv-747gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24130ghsaADVISORY
- github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42ghsax_refsource_MISCWEB
- github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.