Intel

AIKIDO-2026-573956

@walletconnect/sign-client is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

65

Medium Risk

This Affects:

JS@walletconnect/sign-client
2.0.0 - 2.23.9
Fixed in 2.23.10
Are you affected? Scan for Free

TL;DR

The Sign engine processes incoming wc_sessionUpdate requests in onSessionUpdateRequest without verifying that the sending peer is the session controller. A non-controller peer in an established session, such as a dApp using a custom SDK, can send a session update and mutate the stored session namespaces it was never authorized to change. The public update() method likewise does not restrict callers to the controller. The fix rejects wc_sessionUpdate from non-controller peers with UNAUTHORIZED_UPDATE_REQUEST and makes update() throw when invoked by a non-controller.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@walletconnect/sign-client is vulnerable to Improper Authorization in versions 2.0.0 - 2.23.9.

How to fix this

Upgrade the @walletconnect/sign-client library to the patch version.