CVE-2026-40093: nimiq-blockchain is missing a wall-clock upper bound on block timestamps

April 10, 2026

Block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.

References

github.com/advisories/GHSA-49xc-52mp-cc9j
github.com/nimiq/core-rs-albatross
github.com/nimiq/core-rs-albatross/security/advisories/GHSA-49xc-52mp-cc9j
nvd.nist.gov/vuln/detail/CVE-2026-40093

Code Behaviors & Features

Detect and mitigate CVE-2026-40093 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →