High severity7.5NVD Advisory· Published Mar 31, 2026· Updated Apr 3, 2026
CVE-2026-34209
CVE-2026-34209
Description
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mppxnpm | < 0.4.11 | 0.4.11 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfbnvdPatchWEB
- github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mrnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-mv9j-8jvg-j8mrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34209ghsaADVISORY
- github.com/wevm/mppx/releases/tag/mppx@0.4.11nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.