CVE-2026-40093Nimiq · Nimiq_proof-of-stake
Vulnerability data via NVD (ingested)
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-40093product:"Nimiq Nimiq Proof-of-stake"http.html:"Nimiq Proof-of-stake"More intel sources (5)
vuln:CVE-2026-40093vulnerabilities.cve_id: CVE-2026-40093CVE-2026-40093CVE-2026-40093"CVE-2026-40093" exploit -site:nvd.nist.gov