CVE-2026-28402
Published: 27 February 2026
Summary
CVE-2026-28402 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-28402 affects nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm, in versions prior to 1.2.2. The vulnerability arises in macro block proposal verification, where a proposer can submit a proposal with a `header.body_root` that does not match the hash of the actual macro body. The verification process checks the header but skips validating the binding between `body_root` and `hash(body)`, allowing the malformed proposal to pass initial checks. Subsequent code assumes this binding holds true, potentially triggering a panic and crash on validator nodes when processing the mismatch. This issue is classified under CWE-354 (Improper Validation of Integrity Check Value) with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Exploitation requires a malicious or compromised validator to be elected as proposer, granting low-privilege (PR:L) network access (AV:N) with low complexity (AC:L) and no user interaction (UI:N). The attacker publishes the tampered macro block proposal, which validators accept during proposal verification but fail to process correctly later, leading to panics and crashes. This results in a denial-of-service on affected validator nodes, with high availability impact (A:H) and low integrity impact (I:L), but no confidentiality loss (C:N). The scope remains unchanged (S:U), and impacts are limited to validator nodes only.
The patch, released in version 1.2.2, adds explicit verification of the `body_root == hash(body)` binding during proposal checks, as detailed in the GitHub security advisory (GHSA-7wh6-rmxx-ww47), pull request #3623, commit 6454c26d966858c5520f55739a30b94c17656c85, and release notes. No workarounds are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9074
Vulnerability details
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.2.2, a malicious or compromised validator that is elected as proposer can publish a macro block proposal where `header.body_root` does not…
more
match the actual macro body hash. The proposal can pass proposal verification because the macro proposal verification path validates the header but does not validate the binding `body_root == hash(body)`; later code expects this binding and may panic on mismatch, crashing validators. Note that the impact is only for validator nodes. The patch for this vulnerability is formally released as part of v1.2.2. The patch adds the corresponding body root verification in the proposal checks. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in macro block proposal verification (missing body_root integrity binding check) allows a malicious/compromised validator proposer to submit malformed data that passes initial checks but triggers panics/crashes on receiving validators, directly enabling application exploitation for endpoint DoS (high availability impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (macro-block proposals) including integrity bindings such as body_root == hash(body) before acceptance.
Mandates verification of information integrity; the absent body-root check is precisely the integrity-validation step that SI-7 requires.
Ensures the system fails in a known safe state rather than panicking and crashing validators when an integrity mismatch is later detected.