CVE-2026-34209

HIGH

mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality

Title source: cna

Description

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.

References (3)

Scores

CVSS v3 7.5
EPSS 0.0001
EPSS Percentile 1.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-294
Status published
Products (2)
npm/mppx 0 - 0.4.11npm
wevm/mppx < 0.4.11 (2 CPE variants)
Published Mar 31, 2026
Tracked Since Mar 31, 2026