{"api_version":"1","generated_at":"2026-04-22T21:27:10+00:00","cve":"CVE-2026-34209","urls":{"html":"https://cve.report/CVE-2026-34209","api":"https://cve.report/api/cve/CVE-2026-34209.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34209","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34209"},"summary":{"title":"mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality","description":"mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-31 15:16:18","updated_at":"2026-04-03 15:59:37"},"problem_types":["CWE-294","CWE-294 CWE-294: Authentication Bypass by Capture-replay"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11","name":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr","name":"https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr","refsource":"security-advisories@github.com","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb","name":"https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34209","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34209","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wevm","product":"mppx","version":"affected < 0.4.11","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"34209","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wevm","cpe5":"mppx","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"34209","cve":"CVE-2026-34209","epss":"0.000370000","percentile":"0.108670000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-34209","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-02T15:13:21.208040Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-02T15:13:32.047Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"mppx","vendor":"wevm","versions":[{"status":"affected","version":"< 0.4.11"}]}],"descriptions":[{"lang":"en","value":"mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-294","description":"CWE-294: Authentication Bypass by Capture-replay","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-31T14:10:46.416Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"},{"name":"https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb","tags":["x_refsource_MISC"],"url":"https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"},{"name":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11","tags":["x_refsource_MISC"],"url":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}],"source":{"advisory":"GHSA-mv9j-8jvg-j8mr","discovery":"UNKNOWN"},"title":"mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-34209","datePublished":"2026-03-31T14:10:46.416Z","dateReserved":"2026-03-26T15:57:52.324Z","dateUpdated":"2026-04-02T15:13:32.047Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-31 15:16:18","lastModifiedDate":"2026-04-03 15:59:37","problem_types":["CWE-294","CWE-294 CWE-294: Authentication Bypass by Capture-replay"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:*","versionEndExcluding":"0.4.11","matchCriteriaId":"72D62258-34DE-453F-8DFC-D25FA285D537"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34209","Ordinal":"1","Title":"mppx: Tempo has a session close voucher bypass vulnerability due","CVE":"CVE-2026-34209","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34209","Ordinal":"1","NoteData":"mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.","Type":"Description","Title":"mppx: Tempo has a session close voucher bypass vulnerability due"}]}}}