CVE-2026-40093
Published: 09 April 2026
Summary
CVE-2026-40093 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of block timestamps with an upper bound against the wall clock, preventing malicious validators from setting arbitrarily future timestamps.
Requires timely identification, reporting, and correction of the timestamp validation flaw via patching affected nimiq-blockchain versions.
Ensures reliable wall clock synchronization across validator nodes, supporting effective upper bound checks on block timestamps.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows malicious validator to set arbitrarily future timestamps in blocks, which are transmitted over the network and stored, directly enabling manipulation of block data to affect reward calculations and supply.
NVD Description
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound…
more
check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.
Deeper analysisAI
CVE-2026-40093 is a vulnerability in the nimiq-blockchain component, which provides persistent block storage for Nimiq's Rust implementation. Affecting versions 1.3.0 and earlier, the issue stems from incomplete block timestamp validation. While the code enforces that non-skip blocks have a timestamp greater than or equal to the parent block's timestamp and skip blocks have a timestamp exactly equal to the parent timestamp plus MIN_PRODUCER_TIMEOUT, there is no upper bound check against the wall clock.
A malicious block-producing validator can exploit this vulnerability over the network with low privileges. By setting block timestamps arbitrarily far in the future, the attacker directly manipulates reward calculations through Policy::supply_at() and batch_delay() functions in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), linked to CWE-1284 (Improvable Triple-DES Key Sizes).
Mitigation details are available in the GitHub security advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-49xc-52mp-cc9j.
Details
- CWE(s)