Vulnerability in Nimiq Proof-of-Stake Protocol - Nimiq Core Rust Implementation
CVE-2026-28402

7.1HIGH

Key Information:

Vendor

Nimiq

Status
Core-rs-albatross
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28402?

The Nimiq Core Rust implementation had a vulnerability prior to version 1.2.2, where a compromised validator could craft a macro block proposal with a mismatched body hash, allowing the proposal to pass verification incorrectly. This oversight arises because the verification protocol only checks the header and not the binding between body_root and the body hash, potentially leading to a crash of validator nodes. A patch was released in v1.2.2 to improve checks and prevent these scenarios, emphasizing the importance of maintaining updated software to ensure operational integrity.

Affected Version(s)

core-rs-albatross < 1.2.2

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3623
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/6454c26...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.