CVE-2026-34209
Improper Validation in mppx Allows Free Channel Closure
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wevm | mppx | to 0.4.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in mppx allows an attacker to close or grief a payment channel for free by submitting a close voucher equal to the on-chain settled amount without committing new funds. This compromises the integrity of the channel closure process, classified under CWE-294 (Authentication Bypass by Capture-replay).
While the vulnerability impacts data integrity by allowing unauthorized modification of channel state, there is no indication from the provided information that it affects confidentiality or availability of data.
Because the vulnerability primarily affects data integrity in a financial transaction protocol and does not involve unauthorized access to personal data or breach of confidentiality, its direct impact on compliance with standards like GDPR or HIPAA is not explicitly stated or evident from the provided information.
Can you explain this vulnerability to me?
CVE-2026-34209 is a vulnerability in the mppx TypeScript interface for machine payments protocol, specifically in the tempo/session cooperative close handler. Before version 0.4.11, the system validated close vouchers using a less-than comparison against the on-chain settled amount, which allowed an attacker to submit a close voucher exactly equal to the settled amount. This voucher would be accepted without requiring any new funds, enabling the attacker to close or grief the payment channel for free.
The issue arises because the validation logic incorrectly allowed vouchers equal to the settled amount, effectively permitting replay attacks that do not increase committed funds. This flaw was fixed by changing the validation to reject vouchers that are less than or equal to the settled amount, ensuring only vouchers with amounts strictly greater than the settled amount are accepted.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to close or grief a payment channel without committing any new funds. Essentially, an attacker can submit a close voucher equal to the on-chain settled amount, which the system would accept erroneously, leading to unauthorized channel closure.
The impact is high on data integrity because the attacker can manipulate the channel state by replaying settled amounts, potentially causing financial loss or disruption in payment processing. However, confidentiality and availability are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the incorrect validation of close vouchers in the mppx system, specifically accepting vouchers equal to the on-chain settled amount. Detection would involve monitoring or inspecting the close voucher amounts being submitted to the mppx service.
Since the issue is related to the logic in the tempo/session cooperative close handler, one way to detect exploitation attempts is to log or audit close voucher amounts that are exactly equal to the on-chain settled amount, which should normally be rejected.
There are no explicit commands provided in the resources for detection. However, you can consider the following approaches:
- Enable detailed logging in the mppx service to capture close voucher submissions and their amounts.
- Use network monitoring tools to capture and analyze traffic to the mppx service, looking for close voucher messages with amounts equal to the settled amount.
- If you have access to the mppx source or runtime environment, add or review test cases similar to the one added in the patch (rejecting close vouchers equal to the settled amount) to verify correct behavior.
No specific command-line commands or scripts are provided in the resources for direct detection.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the mppx package to version 0.4.11 or later, where the vulnerability has been patched.
This update corrects the validation logic in the close voucher handler to reject vouchers that are equal to the on-chain settled amount, preventing attackers from closing channels without committing new funds.
No workarounds are available according to the advisory, so upgrading is the only effective immediate mitigation.
- Update mppx to version 0.4.11 or later.
- Review and apply any related security patches or updates from the mppx project.
- Enable logging and monitoring to detect any attempts to exploit this vulnerability.