CVE-2026-40069
HIGHbsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
Title source: cnaDescription
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx
X_Refsource_Misc x_refsource_misc
https://github.com/sgbett/bsv-ruby-sdk/issues/305
X_Refsource_Misc x_refsource_misc
https://github.com/sgbett/bsv-ruby-sdk/pull/306
X_Refsource_Misc x_refsource_misc
https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc
X_Refsource_Misc x_refsource_misc
https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2
Scores
CVSS v3
7.5
EPSS
0.0027
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-754
Status
published
Products (4)
rubygems/bsv-sdk
0.1.0 - 0.8.2RubyGems
sgbet/bsv_ruby_sdk
0.1.0 - 0.8.2
sgbett/bsv-ruby-sdk
>= 0.1.0, < 0.8.2
sgbett/bsv_ruby_sdk
0.1.0 - 0.8.2
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026