CVE-2026-34068: nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
(updated )
The staking contract accepts UpdateValidator transactions that set new_voting_key=Some(...) while omitting new_proof_of_knowledge. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated.
Because tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature.
While the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely.
References
- github.com/advisories/GHSA-pf4j-pf3w-95f9
- github.com/nimiq/core-rs-albatross
- github.com/nimiq/core-rs-albatross/commit/e7f0ab7d2115e17d6e5548ddc60f10df1a5d645f
- github.com/nimiq/core-rs-albatross/pull/3654
- github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-pf4j-pf3w-95f9
- nvd.nist.gov/vuln/detail/CVE-2026-34068
Code Behaviors & Features
Detect and mitigate CVE-2026-34068 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →