Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: False Transaction Acceptance
Action: Patch
AI Analysis

Impact

The BSV Ruby SDK’s ARC broadcasting component mistakenly interprets certain network responses—specifically those with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN indicator—as successful broadcasts. This logical flaw, classified under CWE‑754, deceives applications that rely on the SDK’s success notification, allowing them to think a transaction has been accepted when it has not. Consequently, unvalidated or rejected transactions may be processed, leading to potential financial loss or unauthorized activity.

Affected Systems

The vulnerability affects SGBett’s BSV Ruby SDK versions from 0.1.0 up through the release immediately before 0.8.2. The affected component is the ARC broadcast functionality within the SDK. Versions 0.8.2 and later include the fix.

Risk and Exploitability

With a CVSS score of 7.5 the flaw carries a high severity, although no EPSS data is available and it is not listed in CISA’s KEV catalog. The attacker can exploit the issue by triggering a transaction broadcast via the SDK while the network rejects it; the SDK’s incorrect success handling allows the attacker to bypass transaction validation. The attack vector is application‑side, relying on the SDK’s erroneous success indication without additional verification, making it particularly concerning for users who trust the SDK’s response.

Generated by OpenCVE AI on April 9, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BSV Ruby SDK to version 0.8.2 or later to apply the fix for ARC broadcast response handling.
  • Verify transaction acceptance through independent checks if the application logic depends on SDK success notifications.

Generated by OpenCVE AI on April 9, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9hfr-gw99-8rhx bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
History

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sgbett bsv Ruby Sdk
CPEs cpe:2.3:a:sgbet:bsv_ruby_sdk:*:*:*:*:*:ruby:*:* cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*
Vendors & Products Sgbet
Sgbet bsv Ruby Sdk
Sgbett bsv Ruby Sdk

Tue, 28 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Sgbet
Sgbet bsv Ruby Sdk
CPEs cpe:2.3:a:sgbet:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*
Vendors & Products Sgbet
Sgbet bsv Ruby Sdk

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sgbett
Sgbett bsv-ruby-sdk
Vendors & Products Sgbett
Sgbett bsv-ruby-sdk

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
Title bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sgbett Bsv-ruby-sdk Bsv Ruby Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:11:51.134Z

Reserved: 2026-04-09T00:39:12.204Z

Link: CVE-2026-40069

cve-icon Vulnrichment

Updated: 2026-04-13T20:11:45.553Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T18:17:03.043

Modified: 2026-04-30T14:01:51.083

Link: CVE-2026-40069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:56Z

Weaknesses