CVE-2026-40093

Name of the Vulnerable Software and Affected Versions nimiq-blockchain versions 1.3.0 and earlier

Description nimiq-blockchain, used for persistent block storage in Nimiq's Rust implementation, has an issue where block timestamp validation lacks an upper bound check against the wall clock in versions 1.3.0 and earlier. A malicious block-producing validator can set block timestamps arbitrarily far into the future. This impacts reward calculations via the Policy::supply at() and batch delay() functions in the blockchain/src/reward.rs file, potentially inflating the monetary supply beyond the intended emission schedule.

Recommendations Update to a version later than 1.3.0.