Skip to main content

UltraDAG Core CVE-2026-42278

| EUVDEUVD-2026-28526 HIGH
Improper Access Control (CWE-284)
2026-05-08 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 08, 2026 - 05:31 vuln.today
Analysis Generated
May 08, 2026 - 05:31 vuln.today
CVSS changed
May 08, 2026 - 05:22 NVD
8.8 (HIGH)
CVE Published
May 08, 2026 - 03:55 nvd
HIGH 8.8

DescriptionGitHub Advisory

UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket's parent account before checking the spending policy. Because pockets are "virtual" addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an "authorized/no policy" result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59.

AnalysisAI

Authentication bypass in UltraDAG Core blockchain allows remote unauthenticated attackers to drain all pocket-derived sub-addresses on smart accounts, completely bypassing vault delays and daily spending limits. The StateEngine fails to resolve pocket addresses to their parent account during policy enforcement, treating virtual pocket addresses as unrestricted accounts. Confirmed actively exploited (CISA KEV). Vendor-released patch: commit fb6ef59 resolves pocket-to-parent mapping before all policy checks. EPSS data unavailable but attack vector is network-accessible with no complexity (CVSS 4.0 AV:N/AC:L/PR:N), making this a critical priority for any UltraDAG deployment using smart account pockets.

Technical ContextAI

UltraDAG implements a DAG-BFT blockchain with smart accounts supporting 'pockets' - derived sub-addresses that organize funds under a parent account (similar to HD wallet derivation). The affected component is StateEngine in ultradag-coin/src/state/engine.rs, specifically the check_spending_policy method invoked during SmartTransferTx execution. Pockets exist only as entries in the pocket_to_parent HashMap and lack their own SmartAccountConfig records. The root cause (CWE-284: Improper Access Control) occurs because the policy enforcement pipeline queries self.smart_accounts.get_mut(&tx.from) directly without first resolving tx.from through pocket_to_parent. When tx.from is a pocket address, the lookup returns None, and the check_spending_policy method defaults to authorized/no-policy. Meanwhile, signature verification in verify_smart_transfer correctly resolves pockets to parents for authorization, creating an asymmetric security model where authentication succeeds via the parent key but enforcement bypasses the parent's configured vault delays (e.g., 24-hour holds) and daily limits (e.g., 1 UDAG caps). The CPE string cpe:2.3:a:ultradagcom:core identifies all versions prior to commit fb6ef59.

RemediationAI

Apply vendor-released patch by upgrading to UltraDAG Core commit fb6ef59d6c1385400e7acea7ae31fc6a473c3051 or later (https://github.com/UltraDAGcom/core/commit/fb6ef59d6c1385400e7acea7ae31fc6a473c3051). The patch adds pocket-to-parent resolution in three critical paths: check_spending_policy now resolves let policy_owner = self.pocket_to_parent.get(from).copied().unwrap_or(*from) before querying smart_accounts; vault creation records the origin address in a new PendingVaultTransfer.from field to ensure cancel refunds return to the correct surface; and vault execution resolves policy_owner for all limit checks. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable pocket creation via node policy configuration - prevents new vulnerable addresses but does not protect existing pockets, and removes legitimate organizational functionality. (2) Monitor all SmartTransferTx transactions originating from pocket addresses (identifiable via on-chain pocket_to_parent mappings) and manually validate against parent policies - operationally intensive and does not prevent exploitation, only detects it post-facto. (3) Force-migrate all pocket balances to parent addresses via administrative tooling - requires coordinated user action and breaks pocket-based fund organization. None of these workarounds provide complete protection; patching is the only full remediation. Review the 265-line regression test suite in the patch commit (tests/smart_account_policy_pocket.rs) to validate fix completeness in your environment.

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Share

CVE-2026-42278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy