CVE-2026-34066: CWE-20: Improper Input Validation in nimiq nimiq-blockchain
A vulnerability in nimiq-blockchain versions prior to 1. 3. 0 allows a remote peer to cause a panic via improper input validation in the HistoryStore component. Specifically, the function put_historic_txns uses an assert to enforce block number invariants, which can be violated by a malformed history list during history synchronization, leading to a denial of service. The issue is fixed in version 1. 3. 0. No known workarounds exist.
AI Analysis
Technical Summary
nimiq-blockchain's HistoryStore prior to version 1.3.0 improperly validates input in the put_historic_txns function by relying on an assert to enforce that HistoricTransaction.block_number values are within expected ranges. During history synchronization, a remote peer can supply a crafted history list that violates these invariants, causing the assert to trigger a panic before the history root is verified against the macro block header. This results in a denial of service condition. The vulnerability is addressed by a patch included in version 1.3.0 of nimiq-blockchain.
Potential Impact
An unauthenticated remote peer can cause the nimiq-blockchain node to panic and crash during history synchronization by sending malformed historic transaction data. This leads to a denial of service (DoS) condition. There is no impact on confidentiality or integrity according to the CVSS vector. The CVSS score is 5.3 (medium severity).
Mitigation Recommendations
Upgrade nimiq-blockchain to version 1.3.0 or later, where this vulnerability is patched. No known workarounds exist. Until the upgrade, nodes remain vulnerable to denial of service via malformed history data during sync.
CVE-2026-34066: CWE-20: Improper Input Validation in nimiq nimiq-blockchain
Description
A vulnerability in nimiq-blockchain versions prior to 1. 3. 0 allows a remote peer to cause a panic via improper input validation in the HistoryStore component. Specifically, the function put_historic_txns uses an assert to enforce block number invariants, which can be violated by a malformed history list during history synchronization, leading to a denial of service. The issue is fixed in version 1. 3. 0. No known workarounds exist.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
nimiq-blockchain's HistoryStore prior to version 1.3.0 improperly validates input in the put_historic_txns function by relying on an assert to enforce that HistoricTransaction.block_number values are within expected ranges. During history synchronization, a remote peer can supply a crafted history list that violates these invariants, causing the assert to trigger a panic before the history root is verified against the macro block header. This results in a denial of service condition. The vulnerability is addressed by a patch included in version 1.3.0 of nimiq-blockchain.
Potential Impact
An unauthenticated remote peer can cause the nimiq-blockchain node to panic and crash during history synchronization by sending malformed historic transaction data. This leads to a denial of service (DoS) condition. There is no impact on confidentiality or integrity according to the CVSS vector. The CVSS score is 5.3 (medium severity).
Mitigation Recommendations
Upgrade nimiq-blockchain to version 1.3.0 or later, where this vulnerability is patched. No known workarounds exist. Until the upgrade, nodes remain vulnerable to denial of service via malformed history data during sync.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9290319fe3cd2cde955ab
Added to database: 4/22/2026, 8:01:07 PM
Last enriched: 4/30/2026, 8:15:00 AM
Last updated: 6/5/2026, 7:55:03 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.