What is the CVSS score of CVE-2026-34209?

CVE-2026-34209 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

How to fix or mitigate CVE-2026-34209?

Within 24 hours: Identify all applications and services using mppx npm package and document current versions in use. Within 7 days: Update all affected instances to mppx version 0.4.11 or later and validate the update in a staging environment. Within 30 days: Conduct a security audit of payment channel transactions for the past 90 days to identify any suspicious channel closures or unauthorized fund movements; review and strengthen monitoring for abnormal payment channel activity.

CVE-2026-34209

HIGH

Authentication Bypass by Capture-replay (CWE-294)

2026-03-29 https://github.com/wevm/mppx

GHSA-mv9j-8jvg-j8mr

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 29, 2026 - 15:30 vuln.today

Patch released

Mar 29, 2026 - 15:30 nvd

Patch available

CVE Published

Mar 29, 2026 - 15:10 nvd

HIGH 7.5

DescriptionNVD

Impact

The tempo/session cooperative close handler validated the close voucher amount using < instead of <= against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free.

Patches

Fixed in 0.4.11.

Workarounds

There are no workarounds available for this vulnerability.

AnalysisAI

A logic error in the mppx npm package (versions <0.4.11) allows remote attackers to close payment channels without committing funds by exploiting an off-by-one validation flaw in the tempo/session cooperative close handler. The handler incorrectly used '<' instead of '<=' when validating close voucher amounts against settled on-chain amounts, enabling attackers to submit vouchers exactly equal to settled amounts for free channel closure or griefing attacks. …

RemediationAI

Within 24 hours: Identify all applications and services using mppx npm package and document current versions in use. Within 7 days: Update all affected instances to mppx version 0.4.11 or later and validate the update in a staging environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34209 vulnerability details – vuln.today

Back

CVE-2026-34209

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code