Staking Contract Vulnerability in Nimiq's Rust Implementation
CVE-2026-34068

6.8MEDIUM

Key Information:

Vendor

Nimiq

Status
Nimiq-transaction
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34068?

The Nimiq staking contract prior to version 1.3.0 allows for a security gap where the UpdateValidator transactions can ignore the required new_proof_of_knowledge. This omission bypasses the necessary proof-of-knowledge check that is pivotal in preventing BLS rogue-key attacks during public key aggregation. The result enables an attacker potential manipulation of validator voting keys and the creation of a misleading quorum-looking justification with a single signature. The vulnerability can be addressed by upgrading to version 1.3.0 or later, as this version includes a necessary patch.

Affected Version(s)

nimiq-transaction < 1.3.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3654
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/e7f0ab7...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.