CVE-2026-46539 - Vulnerability Details

Description

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification. This issue has been patched in version 1.4.0.

Published: 2026-06-09

Score: 5.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Nimiq's BlockInclusionProof::is_block_proven function contains a logic flaw that lets it return true without performing any cryptographic verification when get_interlink_hops produces an empty list; as a result an attacker who supplies forged transaction inclusion proofs can convince a node that a MacroBlock header for a specific epoch position is proven, enabling the creation of false inclusion proofs that undermine the ledger’s integrity, with the weakness corresponding to CWE‑345.

Affected Systems

The vulnerability affects the Rust implementation of the Nimiq Proof‑of‑Stake protocol, specifically the nimiq core rs albatross product; all releases prior to version 1.4.0 are susceptible, while version 1.4.0 and later include the fix.

Risk and Exploitability

The CVSS base score is 5.9, indicating medium severity; there is no EPSS score available and the issue is not listed in the CISA KEV catalog; the attack likely requires remote interaction with a node that accepts transaction inclusion proofs through its RPC or peer‑to‑peer interfaces, and would allow an attacker to forge inclusion proofs without cryptographic validation, potentially leading to unauthorized transaction inclusion and ledger manipulation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nimiq

core-rs-albatross

affected

Version	Status	Constraints
`< 1.4.0`	affected	—

No data.

Vendor Product Confidence Versions

Nimiq

Core-rs-albatross

100%

Version	Status	Scheme	Platform
`[0,1.4.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to version 1.4.0 of the nimiq core rs albatross project
Restart the node so the updated binaries are loaded
Restrict peer connections to trusted nodes to mitigate the arrival of forged proofs
Monitor inclusion proof logs for unexpected patterns and alert on any anomalies

Generated by OpenCVE AI on June 10, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-799f-29jm-gr6c	nimiq-primitives: BlockInclusionProof interlink issue when hops are empty

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/nimiq/core-rs-albatross/pull/3705
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-799f-29jm-gr6c

History

Wed, 10 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nimiq Nimiq core-rs-albatross
Vendors & Products		Nimiq Nimiq core-rs-albatross

Wed, 10 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification. This issue has been patched in version 1.4.0.
Title		nimiq-primitives: BlockInclusionProof interlink issue when hops are empty
Weaknesses		CWE-345
References		https://github.com/nimiq/core-rs-albatross/pull/3705 https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-799f-29jm-gr6c
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Nimiq Core-rs-albatross

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-09T23:44:34.283Z

Updated: 2026-06-09T23:44:34.283Z

Reserved: 2026-05-14T20:42:31.368Z

Link: CVE-2026-46539

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T00:16:54.097

Modified: 2026-06-10T00:16:54.097

Link: CVE-2026-46539

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T02:15:19Z

Weaknesses

CWE-345

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object