Cyber Resilience

CVE-2026-34210

Medium

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-34210 is a medium-severity Incorrect Comparison (CWE-697) vulnerability in Wevm Mppx. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34210 is a vulnerability in mppx, a TypeScript interface for the machine payments protocol, affecting versions prior to 0.4.11. The stripe/charge payment method fails to check Stripe's Idempotent-Replayed response header when creating PaymentIntents, enabling replay attacks. This flaw, classified under CWE-697 with a CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), allows attackers to reuse valid credentials without proper validation.

An attacker with low privileges, such as a legitimate user who has successfully made one payment, can exploit this by replaying a valid credential containing the same spt token against a new challenge. The server accepts the replayed Stripe PaymentIntent as a new successful payment without charging the customer again, enabling the attacker to pay once and consume unlimited resources through repeated replays.

The issue has been patched in mppx version 0.4.11. Mitigation details are available in the GitHub security advisory at https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw, the release notes at https://github.com/wevm/mppx/releases/tag/mppx@0.4.11, and the fixing commit at https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994. Security practitioners should upgrade to version 0.4.11 or later to address this vulnerability.

EU & UK References

Vulnerability details

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against…

more

a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows replay attacks against the Stripe payment method in a network-accessible interface, directly enabling exploitation of the public-facing application to bypass payment validation and consume resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34209Same product: Wevm Mppx
CVE-2026-44196Shared CWE-697
CVE-2025-20343Shared CWE-697
CVE-2026-26275Shared CWE-697

Affected Assets

wevm
mppx
≤ 0.4.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring identification, testing, and installation of the patch in mppx version 0.4.11 that checks Stripe's Idempotent-Replayed header to prevent replay attacks.

prevent

Protects against replay attacks by requiring mechanisms to ensure the authenticity of payment sessions or transactions, preventing acceptance of replayed Stripe PaymentIntents as new payments.

prevent

Requires validation of information inputs from Stripe API responses, including checking the Idempotent-Replayed header to reject replayed PaymentIntents.

References