CVE-2026-34209
Published: 31 March 2026
Summary
CVE-2026-34209 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Wevm Mppx. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, testing, and implementation of fixes for the specific logic flaw in close voucher validation, as patched in mppx 0.4.11.
Enforces rigorous information input validation mechanisms to correctly compare close voucher amounts using <= against on-chain settled amounts, preventing invalid acceptance.
Provides vulnerability scanning to identify the presence of CVE-2026-34209 in mppx dependencies, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The logic flaw enables remote unauthenticated exploitation of the payment channel close handler to disrupt cooperative close and deny service to participants via application exploitation.
NVD Description
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher…
more
exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
Deeper analysisAI
CVE-2026-34209 affects mppx, a TypeScript interface for the machine payments protocol, in versions prior to 0.4.11. The vulnerability resides in the tempo/session cooperative close handler, which incorrectly validated the close voucher amount using a strict less-than operator ("<") instead of less-than-or-equal-to ("<=") when comparing it against the on-chain settled amount. This logic flaw, classified under CWE-294 (Unevaluated Code), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
Any unauthenticated attacker with network access can exploit this vulnerability by submitting a close voucher with an amount exactly equal to the on-chain settled amount. The invalid comparison allows the voucher to be accepted without requiring the attacker to commit any additional funds, enabling them to unilaterally close the payment channel or grief it for free, disrupting the cooperative close process and potentially denying service to legitimate participants.
The issue has been addressed in mppx version 0.4.11, where the validation logic was corrected to use "<=" as detailed in the patching commit at https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb. Security practitioners should upgrade to this version or later, with further details available in the release notes at https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 and the GitHub security advisory at https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr.
Details
- CWE(s)