CVE-2026-33471 - Vulnerability Analysis

Overview

nimiq-block < 1.3.0 contains a signature verification bypass caused by out-of-range MultiSignature.signers indices colliding on u16 slots in SkipBlockProof::verify, letting malicious validators bypass quorum checks, exploit requires crafted SkipBlockProof.

Severity & Score

Impact

Malicious validators can bypass quorum verification, allowing unauthorized block approval with fewer valid signatures.

Mitigation

Update to version 1.3.0 or later.

References

• https://github.com/nimiq/core-rs-albatross/commit/d02059053181ed8ddad6b59a0adfd661ef5cd823
• https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
• https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-6973-8887-87ff

Social Media Activity(1 post)

OffSequence

@offseq

Apr 23, 2026

🔥 CRITICAL vuln in nimiq-block (<1.3.0): Flawed input validation in SkipBlockProof::verify lets attackers bypass PoS quorum using crafted indices. Patch in v1.3.0 — upgrade ASAP! CVE-2026-33471 https://radar.offseq.com/threat/cve-2026-33471-cwe-20-improper-input-validation-in-2bd8708b #OffSeq #Rust #Security #Blockchain

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner