CVE-2026-34210

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34210
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34210.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34210
Aliases
Published
2026-03-31T14:10:10.463Z
Modified
2026-04-02T13:29:32.498233Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
mppx has Stripe charge credential replay via missing idempotency check
Details

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

Database specific 
{
    "cwe_ids": [
        "CWE-697"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34210.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wevm/mppx

Affected ranges

Type
GIT
Repo
https://github.com/wevm/mppx
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8ce9f56b6c75c807ecd758563d94f2a698fb5335
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.4.11"
        }
    ]
}

Affected versions

mpay@0.*
mpay@0.1.0
mpay@0.2.0
mpay@0.2.1
mpay@0.2.2
mpay@0.2.3
mpay@0.2.4
mppx@0.*
mppx@0.1.0
mppx@0.1.1
mppx@0.2.0
mppx@0.2.1
mppx@0.2.2
mppx@0.2.3
mppx@0.2.4
mppx@0.2.5
mppx@0.2.6
mppx@0.3.1
mppx@0.3.11
mppx@0.3.12
mppx@0.3.13
mppx@0.3.14
mppx@0.3.15
mppx@0.3.16
mppx@0.3.2
mppx@0.3.3
mppx@0.3.4
mppx@0.3.5
mppx@0.3.6
mppx@0.3.7
mppx@0.3.8
mppx@0.3.9
mppx@0.4.0
mppx@0.4.1
mppx@0.4.10
mppx@0.4.2
mppx@0.4.3
mppx@0.4.4
mppx@0.4.5
mppx@0.4.6
mppx@0.4.7
mppx@0.4.8
mppx@0.4.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34210.json"