{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40069", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.204Z", "datePublished": "2026-04-09T17:22:28.416Z", "dateUpdated": "2026-04-13T20:11:51.134Z"}, "containers": {"cna": {"title": "bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts", "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2"}], "affected": [{"vendor": "sgbett", "product": "bsv-ruby-sdk", "versions": [{"version": ">= 0.1.0, < 0.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:22:28.416Z"}, "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2."}], "source": {"advisory": "GHSA-9hfr-gw99-8rhx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:11:39.186859Z", "id": "CVE-2026-40069", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:11:51.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40069", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:11:39.186859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:11:45.553Z"}}], "cna": {"title": "bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts", "source": {"advisory": "GHSA-9hfr-gw99-8rhx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "sgbett", "product": "bsv-ruby-sdk", "versions": [{"status": "affected", "version": ">= 0.1.0, < 0.8.2"}]}], "references": [{"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx", "name": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "name": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "name": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "name": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2", "name": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:22:28.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40069", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:11:51.134Z", "dateReserved": "2026-04-09T00:39:12.204Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T17:22:28.416Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "90A4B053-0571-45B3-85A6-0CE005E42D5E", "versionEndExcluding": "0.8.2", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2."}], "id": "CVE-2026-40069", "lastModified": "2026-04-30T14:01:51.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:03.043", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.0,0.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bsv-ruby-sdk", "source": "cna", "vendor": "sgbett"}, "product": "bsv-ruby-sdk", "vendor": "sgbett"}], "analysis": {"en": {"generated_at": "2026-04-09T19:51:23.320494+00:00", "value": {"mitigation_remediation": ["Upgrade the BSV Ruby SDK to version 0.8.2 or later to apply the fix for ARC broadcast response handling.", "Verify transaction acceptance through independent checks if the application logic depends on SDK success notifications."], "summary": {"action": "Patch", "impact": "False Transaction Acceptance"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SGBett\u2019s BSV Ruby SDK versions from 0.1.0 up through the release immediately before 0.8.2. The affected component is the ARC broadcast functionality within the SDK. Versions 0.8.2 and later include the fix.", "description_and_impact": "The BSV Ruby SDK\u2019s ARC broadcasting component mistakenly interprets certain network responses\u2014specifically those with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN indicator\u2014as successful broadcasts. This logical flaw, classified under CWE\u2011754, deceives applications that rely on the SDK\u2019s success notification, allowing them to think a transaction has been accepted when it has not. Consequently, unvalidated or rejected transactions may be processed, leading to potential financial loss or unauthorized activity.", "risk_and_exploitability": "With a CVSS score of 7.5 the flaw carries a high severity, although no EPSS data is available and it is not listed in CISA\u2019s KEV catalog. The attacker can exploit the issue by triggering a transaction broadcast via the SDK while the network rejects it; the SDK\u2019s incorrect success handling allows the attacker to bypass transaction validation. The attack vector is application\u2011side, relying on the SDK\u2019s erroneous success indication without additional verification, making it particularly concerning for users who trust the SDK\u2019s response."}}}}, "created": "2026-04-10T08:52:45.385545+00:00", "updated": "2026-04-10T09:31:56.304807+00:00", "vendors": ["sgbett", "sgbett$PRODUCT$bsv-ruby-sdk"]}