CVE-2026-40093
Received Received - Intake
Timestamp Manipulation in Nimiq Blockchain Causes Monetary Inflation

Publication date: 2026-04-09

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40093
EUVD
EUVD-2026-21146
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nimiq nimiq_proof-of-stake to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the nimiq-blockchain's Rust implementation, specifically in versions 1.3.0 and earlier. It concerns the validation of block timestamps. While the system enforces that a block's timestamp must be greater than or equal to its parent's timestamp for non-skip blocks and exactly equal to the parent's timestamp plus a minimum timeout for skip blocks, it does not enforce an upper bound against the actual current time (wall clock).

This means a malicious block-producing validator can set block timestamps arbitrarily far into the future. This manipulation affects reward calculations, causing the monetary supply to inflate beyond the intended emission schedule.

Impact Analysis

This vulnerability can lead to an inflation of the monetary supply in the Nimiq blockchain beyond what was intended by its emission schedule. A malicious validator can exploit the lack of an upper bound on block timestamps to artificially increase rewards.

As a result, the economic integrity of the blockchain can be compromised, potentially devaluing the currency and undermining trust in the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart