CVE-2020-26896

Name of the Vulnerable Software and Affected Versions LND (Lightning Network Daemon) versions prior to 0.11.0-beta

Description The issue concerns a problem in the invoice database where LND failed to verify the settlement of an outgoing off-chain HTLC before releasing the preimage while claiming a received HTLC output on-chain. This could lead to a hash-and-amount collision with an invoice, causing the preimage for an expected payment to be released instead. A malicious peer could intercept an HTLC, probe the preimage through a colluding relayed HTLC, and steal the intercepted HTLC, resulting in a loss of funds and weakened receiver privacy.

Recommendations For versions prior to 0.11.0-beta, update to version 0.11.0-beta or later to resolve the issue.