CVE-2026-34209: CWE-294: Authentication Bypass by Capture-replay in wevm mppx
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
AI Analysis
Technical Summary
The mppx component of the wevm project had a validation flaw in its tempo/session cooperative close handler. It used a less-than comparison ('<') instead of a less-than-or-equal-to ('<=') check when validating the close voucher amount against the on-chain settled amount. This allowed an attacker to submit a close voucher exactly equal to the settled amount, which was accepted incorrectly, enabling channel closure or griefing without additional funds. This vulnerability is tracked as CVE-2026-34209 and is classified under CWE-294 (Authentication Bypass). It has a CVSS 3.1 score of 7.5 (high severity). The issue has been patched in version 0.4.11.
Potential Impact
An attacker can close or grief a payment channel by submitting a close voucher equal to the settled amount without committing new funds. This results in denial of service or disruption of normal channel operations, impacting the integrity of payment settlements. There is no confidentiality or availability impact reported. No known exploits are currently in the wild.
Mitigation Recommendations
Upgrade to version 0.4.11 or later of the wevm mppx interface, where the validation logic has been corrected to use a less-than-or-equal-to comparison. This patch effectively prevents the described authentication bypass and channel griefing. No additional mitigation is required once the update is applied.
CVE-2026-34209: CWE-294: Authentication Bypass by Capture-replay in wevm mppx
Description
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The mppx component of the wevm project had a validation flaw in its tempo/session cooperative close handler. It used a less-than comparison ('<') instead of a less-than-or-equal-to ('<=') check when validating the close voucher amount against the on-chain settled amount. This allowed an attacker to submit a close voucher exactly equal to the settled amount, which was accepted incorrectly, enabling channel closure or griefing without additional funds. This vulnerability is tracked as CVE-2026-34209 and is classified under CWE-294 (Authentication Bypass). It has a CVSS 3.1 score of 7.5 (high severity). The issue has been patched in version 0.4.11.
Potential Impact
An attacker can close or grief a payment channel by submitting a close voucher equal to the settled amount without committing new funds. This results in denial of service or disruption of normal channel operations, impacting the integrity of payment settlements. There is no confidentiality or availability impact reported. No known exploits are currently in the wild.
Mitigation Recommendations
Upgrade to version 0.4.11 or later of the wevm mppx interface, where the validation logic has been corrected to use a less-than-or-equal-to comparison. This patch effectively prevents the described authentication bypass and channel griefing. No additional mitigation is required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-26T15:57:52.324Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cbd8dae6bfc5ba1d1c3123
Added to database: 3/31/2026, 2:23:22 PM
Last enriched: 4/7/2026, 11:59:10 PM
Last updated: 5/16/2026, 8:00:09 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.