CVE-2026-46539
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In versions prior to 1.4.0, Nimiq has a logic flaw in the BlockInclusionProof::is_block_proven function that allows a MacroBlock header to be accepted as 'proven' without cryptographic verification. This issue occurs when the hop list is empty, which can be exploited by an attacker to forge transaction inclusion proofs.
Risk Assessment
The organization may be vulnerable to attacks that allow block forgery in the system, potentially leading to a loss of trust in the protocol and financial losses.
Recommendation
It is recommended to upgrade to version 1.4.0 or later to mitigate this vulnerability and conduct a security audit of the system.
Original NVD description (English source)
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification. This issue has been patched in version 1.4.0.

