Description

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the `history: &[HistoricTransaction]` input passed into `Blockchain::push_history_sync`, and a malformed history list can violate these invariants and trigger a panic. `extend_history_sync` calls `this.history_store.add_to_history(..)` before comparing the computed history root against the macro block header (`block.history_root()`), so the panic can happen before later rejection checks run. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

INFO

Published Date :

2026-04-22T19:47:49.249Z

Last Modified :

2026-04-23T12:57:06.467Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34066 vulnerability.

Vendors Products
Nimiq
  • Nimiq-blockchain
  • Nimiq Proof-of-stake
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34066.

URL Resource
https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50 cve-icon cve-icon
https://github.com/nimiq/core-rs-albatross/pull/3656 cve-icon cve-icon
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0 cve-icon cve-icon
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-j99g-7rqw-q9jg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact