{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T14:10:46.416Z", "dateUpdated": "2026-03-31T14:10:46.416Z"}, "containers": {"cna": {"title": "mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality", "problemTypes": [{"descriptions": [{"cweId": "CWE-294", "lang": "en", "description": "CWE-294: Authentication Bypass by Capture-replay", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"}, {"name": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb", "tags": ["x_refsource_MISC"], "url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"}, {"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}], "affected": [{"vendor": "wevm", "product": "mppx", "versions": [{"version": "< 0.4.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:10:46.416Z"}, "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}], "source": {"advisory": "GHSA-mv9j-8jvg-j8mr", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}], "id": "CVE-2026-34209", "lastModified": "2026-03-31T15:16:18.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:18.030", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"}, {"source": "security-advisories@github.com", "url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}, {"source": "security-advisories@github.com", "url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mppx", "source": "cna", "vendor": "wevm"}, "product": "mppx", "vendor": "wevm"}], "analysis": {"en": {"generated_at": "2026-03-31T15:20:51.294433+00:00", "value": {"mitigation_remediation": ["Update wevm:mppx to version 0.4.11 or newer", "Confirm that the channel close handler now validates voucher amounts using '<=' against the settled amount", "Monitor channel state for abnormal close attempts if temporary mitigations are applied"], "summary": {"action": "Patch immediately", "impact": "Channel Disruption and Financial Loss"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the wevm:mppx implementation, specifically all releases prior to version 0.4.11. Commit 94088246ee18f21b5d6be40d9e7a464f5a280bfb introduced the fix, and the release tagged mppx@0.4.11 includes the patch. Users of earlier versions on any platform should update promptly.", "description_and_impact": "mppx is a TypeScript interface for the Machine Payments Protocol. Prior to 0.4.11, the tempo/session cooperative close handler used a '<' comparison instead of '<=' to validate the close voucher amount against the on-chain settled amount. This mistake permits an attacker to submit a close voucher whose amount equals the settled balance, causing the handler to accept it without transferring any funds. The channel is then closed or griefed, resulting in immediate financial loss or denial of service for channel participants.", "risk_and_exploitability": "The vulnerability scores a CVSS of 7.5, indicating high impact. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. Exploitation can be carried out by crafting a close voucher that exactly matches the settled amount, which an attacker can send remotely to a channel partner. Given the severity and the clear attack path, the risk is high and requires immediate patching."}}}}, "created": "2026-03-31T19:54:25.824314+00:00", "updated": "2026-03-31T20:38:21.329824+00:00", "vendors": ["wevm", "wevm$PRODUCT$mppx"]}