CVE-2026-34068
Awaiting Analysis Awaiting Analysis - Queue
BLS Rogue-Key Vulnerability in Nimiq Staking Contract

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated. Because tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature. While the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34068
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nimiq nimiq_proof-of-stake to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in version 1.3.0 of nimiq-transaction. Immediate mitigation involves upgrading to version 1.3.0 or later.

No known workarounds are available.

Executive Summary

This vulnerability exists in the nimiq-transaction component used in Nimiq's Rust implementation. Before version 1.3.0, the staking contract allowed UpdateValidator transactions to set a new voting key without providing the required proof-of-knowledge. This omission bypasses the protection against BLS rogue-key attacks, which occur when public keys are aggregated improperly.

Because the Tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature, a rogue voting key can let an attacker forge a quorum-looking justification with only one signature.

Although the impact is critical, the exploitability is low since voting keys are fixed per epoch and the attacker would need to know the next epoch validator set, which is unlikely.

Impact Analysis

This vulnerability can allow an attacker to forge a quorum-looking justification in the blockchain consensus process by exploiting a rogue voting key.

Such an attack could undermine the integrity of the consensus mechanism by making it appear that a sufficient number of validators have signed off on a block when in fact only a single signature was produced.

This could lead to critical impacts on the trustworthiness and security of the blockchain network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart