Description
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated. Because tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature. While the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Published: 2026-04-22
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Rogue-key BLS signature forgery risking consensus compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from the ability to submit an UpdateValidator transaction that supplies a new voting key without the required proof‑of‑knowledge. This omission bypasses the safeguard that prevents BLS rogue‑key attacks during public key aggregation. As a result, an attacker could introduce a rogue voting key into the validator set, enabling the forging of a quorum‑looking block justification with a single forged signature.

Affected Systems

Nimiq nimiq-transaction library versions prior to 1.3.0 are affected. Users running those versions have the exposed flaw until they upgrade to the patched 1.3.0 release or later.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score is less than 1%. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require the attacker to become part of the next epoch’s validator set through the VRF selection process, which is unlikely. Therefore, while the potential impact is critical—allowing forging of block justifications—the actual exploitability is low and would normally be restricted to an already compromised validator node.

Generated by OpenCVE AI on April 28, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the nimiq-transaction component to version 1.3.0 or later
  • Rebuild and restart any nodes or clients that rely on the updated transaction library
  • Coordinate a network‑wide update to ensure all validator nodes adopt the patched transaction library

Generated by OpenCVE AI on April 28, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pf4j-pf3w-95f9 nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq nimiq-transaction
Vendors & Products Nimiq nimiq-transaction

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq nimiq Proof-of-stake
CPEs cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*
Vendors & Products Nimiq
Nimiq nimiq Proof-of-stake

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated. Because tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature. While the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Title nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Nimiq Nimiq-transaction Nimiq Proof-of-stake
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T12:56:27.980Z

Reserved: 2026-03-25T16:21:40.867Z

Link: CVE-2026-34068

cve-icon Vulnrichment

Updated: 2026-04-23T12:56:22.850Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T21:17:08.197

Modified: 2026-04-24T17:10:07.777

Link: CVE-2026-34068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses