{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T14:10:46.416Z", "dateUpdated": "2026-04-02T15:13:32.047Z"}, "containers": {"cna": {"title": "mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality", "problemTypes": [{"descriptions": [{"cweId": "CWE-294", "lang": "en", "description": "CWE-294: Authentication Bypass by Capture-replay", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"}, {"name": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb", "tags": ["x_refsource_MISC"], "url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"}, {"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}], "affected": [{"vendor": "wevm", "product": "mppx", "versions": [{"version": "< 0.4.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:10:46.416Z"}, "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}], "source": {"advisory": "GHSA-mv9j-8jvg-j8mr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:13:21.208040Z", "id": "CVE-2026-34209", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:13:32.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:13:21.208040Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:13:26.917Z"}}], "cna": {"title": "mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality", "source": {"advisory": "GHSA-mv9j-8jvg-j8mr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "wevm", "product": "mppx", "versions": [{"status": "affected", "version": "< 0.4.11"}]}], "references": [{"url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr", "name": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb", "name": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-294", "description": "CWE-294: Authentication Bypass by Capture-replay"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:10:46.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34209", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:13:32.047Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T14:10:46.416Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "72D62258-34DE-453F-8DFC-D25FA285D537", "versionEndExcluding": "0.4.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}], "id": "CVE-2026-34209", "lastModified": "2026-04-03T15:59:37.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:18.030", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mppx", "source": "cna", "vendor": "wevm"}, "product": "mppx", "vendor": "wevm"}], "analysis": {"en": {"generated_at": "2026-04-03T18:58:37.373981+00:00", "value": {"mitigation_remediation": ["Upgrade the wevm:mppx package to version 0.4.11 or later", "Verify that the application is using the corrected close voucher logic", "Monitor system logs for unexpected channel closure events", "Check the project's GitHub repository for additional advisories or updates"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Channel Closure"}, "threat_synthesis": {"affected_systems": "The wevm:mppx package, an interface for the machine payments protocol, is affected. All releases prior to version 0.4.11 contain the vulnerability and require an update to v0.4.11 or later.", "description_and_impact": "A flaw in mppx\u2019s session close handler accepts a close voucher whose amount equals the settled on\u2011chain amount. The code uses a less\u2011than comparison instead of a less\u2011than\u2011or\u2011equal comparison, which causes the voucher to be treated as valid and the channel to close without committing any additional funds. This permits an attacker to close or grief a channel at no cost, potentially causing financial loss to a counterparty and disrupting normal payment operations.", "risk_and_exploitability": "The CVSS score of 7.5 highlights a high\u2011severity flaw, whereas the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, suggesting no widespread exploitation has been documented. Attackers must be able to submit a close voucher to the protocol, implying a remote or network\u2011based vector. Given the high impact and moderate severity, rapid remediation is recommended."}}}}, "created": "2026-03-31T19:54:25.824314+00:00", "updated": "2026-04-03T21:17:43.036044+00:00", "vendors": ["wevm", "wevm$PRODUCT$mppx"]}