CVE-2019-12999

HIGH

Lightning Network Daemon <0.7 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12999. PoCs published by lightninglabs.

AI-analyzed exploit summary This repository contains a tool to detect if an `lnd` node was affected by CVE-2019-12999, which involves invalid channel acceptance in the Lightning Network. The tool checks for discrepancies between subjective and objective channel views to identify fake channels and quantify potential losses.

Description

Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control.

Exploits (1)

nomisec SCANNER 10 stars
by lightninglabs · poc
https://github.com/lightninglabs/chanleakcheck

This repository contains a tool to detect if an `lnd` node was affected by CVE-2019-12999, which involves invalid channel acceptance in the Lightning Network. The tool checks for discrepancies between subjective and objective channel views to identify fake channels and quantify potential losses.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: lnd (Lightning Network Daemon)
Auth required
Prerequisites: Access to the target `lnd` node's gRPC interface · Read-only macaroon for authentication · TLS certificate for secure communication
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/lightningnetwork/lnd/commits/master
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/lightningnetwork/lnd/releases/tag/v0.7.0-beta
Exploit, Mailing List, Third Party Advisory x_refsource_confirm
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html

Scores

CVSS v3 7.5
EPSS 0.0082
EPSS Percentile 74.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Status published
Products (2)
lightning/network_daemon < 0.7
lightningnetwork/lnd 0 - 0.7.1-betaGo
Published Jan 31, 2020
Tracked Since Feb 18, 2026