Intel

AIKIDO-2026-415196

@walletconnect/core is vulnerable to Improper Verification of Data Authenticity

Improper Verification of Data Authenticity Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

50

Medium Risk

This Affects:

JS@walletconnect/core
2.16.0 - 2.23.9
Fixed in 2.23.10
Are you affected? Scan for Free

TL;DR

The relay transport message handler in pairing.ts (registerRelayerEvents) processes inbound envelopes without checking the envelope type against the active transport. Plaintext TYPE_2 envelopes, which are only intended for link mode, are accepted and decoded on the standard relay path even though they carry no encryption or peer authentication. An attacker able to publish to a topic the client is subscribed to can deliver crafted plaintext payloads that the client treats as legitimate relay messages, enabling unauthenticated message injection and spoofing. The fix ignores TYPE_2 payloads received over the relay so they are only handled in link mode.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@walletconnect/core is vulnerable to Improper Verification of Data Authenticity in versions 2.16.0 - 2.23.9.

How to fix this

Upgrade the @walletconnect/core library to the patch version.