CVE-2026-34209
Received Received - Intake
Improper Validation in mppx Allows Free Channel Closure

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34209
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wevm mppx to 0.4.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in mppx allows an attacker to close or grief a payment channel for free by submitting a close voucher equal to the on-chain settled amount without committing new funds. This compromises the integrity of the channel closure process, classified under CWE-294 (Authentication Bypass by Capture-replay).

While the vulnerability impacts data integrity by allowing unauthorized modification of channel state, there is no indication from the provided information that it affects confidentiality or availability of data.

Because the vulnerability primarily affects data integrity in a financial transaction protocol and does not involve unauthorized access to personal data or breach of confidentiality, its direct impact on compliance with standards like GDPR or HIPAA is not explicitly stated or evident from the provided information.

Executive Summary

CVE-2026-34209 is a vulnerability in the mppx TypeScript interface for machine payments protocol, specifically in the tempo/session cooperative close handler. Before version 0.4.11, the system validated close vouchers using a less-than comparison against the on-chain settled amount, which allowed an attacker to submit a close voucher exactly equal to the settled amount. This voucher would be accepted without requiring any new funds, enabling the attacker to close or grief the payment channel for free.

The issue arises because the validation logic incorrectly allowed vouchers equal to the settled amount, effectively permitting replay attacks that do not increase committed funds. This flaw was fixed by changing the validation to reject vouchers that are less than or equal to the settled amount, ensuring only vouchers with amounts strictly greater than the settled amount are accepted.

Impact Analysis

This vulnerability can impact you by allowing an attacker to close or grief a payment channel without committing any new funds. Essentially, an attacker can submit a close voucher equal to the on-chain settled amount, which the system would accept erroneously, leading to unauthorized channel closure.

The impact is high on data integrity because the attacker can manipulate the channel state by replaying settled amounts, potentially causing financial loss or disruption in payment processing. However, confidentiality and availability are not affected.

Detection Guidance

This vulnerability involves the incorrect validation of close vouchers in the mppx system, specifically accepting vouchers equal to the on-chain settled amount. Detection would involve monitoring or inspecting the close voucher amounts being submitted to the mppx service.

Since the issue is related to the logic in the tempo/session cooperative close handler, one way to detect exploitation attempts is to log or audit close voucher amounts that are exactly equal to the on-chain settled amount, which should normally be rejected.

There are no explicit commands provided in the resources for detection. However, you can consider the following approaches:

  • Enable detailed logging in the mppx service to capture close voucher submissions and their amounts.
  • Use network monitoring tools to capture and analyze traffic to the mppx service, looking for close voucher messages with amounts equal to the settled amount.
  • If you have access to the mppx source or runtime environment, add or review test cases similar to the one added in the patch (rejecting close vouchers equal to the settled amount) to verify correct behavior.

No specific command-line commands or scripts are provided in the resources for direct detection.

Mitigation Strategies

The primary mitigation step is to upgrade the mppx package to version 0.4.11 or later, where the vulnerability has been patched.

This update corrects the validation logic in the close voucher handler to reject vouchers that are equal to the on-chain settled amount, preventing attackers from closing channels without committing new funds.

No workarounds are available according to the advisory, so upgrading is the only effective immediate mitigation.

  • Update mppx to version 0.4.11 or later.
  • Review and apply any related security patches or updates from the mppx project.
  • Enable logging and monitoring to detect any attempts to exploit this vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart