PatchSiren cyber security CVE debrief
CVE-2026-46539 nimiq CVE debrief
CVE-2026-46539 is a MEDIUM severity vulnerability in Nimiq's Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. A logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as 'proven' without any hash or signature verification. This issue has been patched in version 1.4.0.
- Vendor
- nimiq
- Product
- core-rs-albatross
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Nimiq's Rust implementation of the Nimiq Proof-of-Stake protocol, specifically those using versions prior to 1.4.0, should be aware of this vulnerability and take steps to update to the patched version.
Technical summary
The vulnerability is caused by a logic flaw in the BlockInclusionProof::is_block_proven function. When get_interlink_hops yields an empty hop list, the function returns true without performing any cryptographic verification. This can occur when the target block is at the election block position immediately preceding the election head's epoch. An attacker can exploit this vulnerability by providing transaction inclusion proofs to forge a MacroBlock header for that epoch position, which can be accepted as 'proven' without any hash or signature verification.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 1.4.0 or later
- Review and verify transaction inclusion proofs
Evidence notes
The vulnerability has been patched in version 1.4.0. Users should update to this version or later to mitigate the vulnerability.
Official resources
CVE-2026-46539 was published on 2026-06-10T00:16:54.097Z and modified on 2026-06-10T19:37:41.437Z.