CVE-2026-34444: Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr

April 7, 2026 (updated May 6, 2026)

The attribute_filter in the Lupa library is intended to restrict access to sensitive Python attributes when exposing objects to Lua.

However, the filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

References

github.com/advisories/GHSA-69v7-xpr6-6gjm
github.com/scoder/lupa
github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm
nvd.nist.gov/vuln/detail/CVE-2026-34444

Code Behaviors & Features

Detect and mitigate CVE-2026-34444 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →