AIKIDO-2026-10501
github.com/cometbft/cometbft is vulnerable to Insufficient Verification of Data Authenticity
65
Medium Risk
This Affects:
github.com/cometbft/cometbftTL;DR
Affected versions of this package are affected by an improper validation flaw in evidence handling, where Byzantine validator entries could have their public keys swapped while retaining the original validator addresses. It could cause misbehavior reports to be redirected toward the wrong validator or allow malicious actors to interfere with accountability during evidence verification. An attacker controlling sufficient Byzantine validators could craft forged evidence with mismatched address/pubkey pairs so the system misattributes consensus faults, potentially disrupting slashing, incident response, or other validator punishment logic. The fix enforces that each validator’s public key correctly matches its address before accepting the evidence.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/cometbft/cometbft is vulnerable to Insufficient Verification of Data Authenticity in versions 0.34.27 - 0.38.21.
How to fix this
Upgrade the github.com/cometbft/cometbft library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant