CVE-2026-34210 is a vulnerability classified under CWE-697 (Incorrect Comparison) affecting the mppx TypeScript interface, a component used for machine payments protocol implementations. The vulnerability exists in versions prior to 0.4.11, specifically in the stripe/charge payment method. The root cause is the failure to properly check Stripe's Idempotent-Replayed response header when creating PaymentIntents. Stripe uses this header to indicate that a payment request is a replay of a previously processed request, which should not result in a new charge. Due to the incorrect comparison logic, the system accepts replayed PaymentIntents as new successful payments without charging the customer again. Attackers can exploit this by capturing a valid payment credential containing the spt token and replaying it against new payment challenges, effectively allowing them to consume unlimited resources or services while only paying once. The vulnerability requires the attacker to have some level of authentication (partial privileges) but does not require user interaction, and the attack can be performed remotely over the network. The vulnerability has a CVSS 4.0 base score of 6.0, indicating medium severity, reflecting the moderate impact on integrity and availability but no impact on confidentiality. The issue was patched in mppx version 0.4.11, which correctly validates the Idempotent-Replayed header to prevent replay attacks. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is financial and resource abuse. Organizations using vulnerable versions of mppx with Stripe payment integration may face fraudulent transactions where attackers replay valid payment credentials to consume services or resources without additional charges. This can lead to significant financial losses, depletion of service quotas, and potential denial of service due to resource exhaustion. The integrity of payment processing is compromised, undermining trust in the payment system. Since the vulnerability allows bypassing payment charges, it can also facilitate fraud and abuse in subscription services, pay-per-use platforms, or any system relying on mppx for payment validation. While confidentiality is not directly affected, the availability and integrity of payment services are at risk. The ease of exploitation combined with the ability to perform attacks remotely increases the threat level for organizations worldwide that rely on this payment interface.

Organizations should immediately upgrade mppx to version 0.4.11 or later to ensure the patch addressing this vulnerability is applied. Additionally, implement strict validation of Stripe's Idempotent-Replayed response headers in payment workflows to detect and reject replayed payment intents. Employ monitoring and alerting for unusual payment patterns indicative of replay attacks, such as multiple identical PaymentIntents from the same token. Integrate rate limiting and anomaly detection on payment endpoints to reduce the risk of automated replay attempts. Conduct thorough code reviews and testing of payment processing logic to ensure all idempotency and replay protections are correctly enforced. Consider additional multi-factor authentication or challenge-response mechanisms for high-value transactions to increase attack complexity. Finally, maintain up-to-date dependency management and vulnerability scanning to quickly identify and remediate similar issues in third-party components.