CVE-2026-40583
Published: 21 April 2026
Summary
CVE-2026-40583 is a high-severity Improper Cleanup on Thrown Exception (CWE-460) vulnerability in Ultradag Ultradag. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-40583 is a vulnerability in UltraDAG, a minimal DAG-BFT blockchain implemented in Rust, affecting version 0.1. It enables a non-council attacker to submit a signed SmartOp::Vote transaction that passes initial signature, nonce, and balance prechecks but fails authorization only after state mutation has already occurred. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and maps to CWE-460 and CWE-696.
A remote attacker requires no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation triggers unintended state mutation prior to authorization failure, resulting in low integrity impact and high availability disruption.
The UltraDAG core GitHub repository addresses the vulnerability via commits 2f5a3a237ea519b48d71e6e3093c89f60694c7be and 45bcf7064741897319b6196d3d9f9e1307093511, with additional mitigation details in security advisory GHSA-q8wx-2crx-c7pp.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24179
Vulnerability details
UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of public-facing blockchain app (T1190) due to authorization check after state mutation enables runtime data manipulation (T1565.003) and availability disruption via app exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations prior to state mutations, directly preventing non-council attackers from inducing unauthorized changes via SmartOp::Vote transactions.
Validates all aspects of incoming SmartOp::Vote transactions, including authorization, before processing to block exploitation after initial prechecks.
Applies least privilege to restrict state-mutating vote transactions to council members only, reducing the impact of delayed authorization checks.