1. Home
  2. CVE Database
  3. CVE-2020-26896
HIGH · 8.2

CVE-2020-26896

Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-c...

Vulnerability Description

Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collision with an invoice, the preimage for an expected payment was instead released. A malicious peer could have deliberately intercepted an HTLC intended for the victim node, probed the preimage through a colluding relayed HTLC, and stolen the intercepted HTLC. The impact is a loss of funds in certain situations, and a weakening of the victim's receiver privacy.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
Lightning Network Daemon ProjectLightning Network Daemon< 0.11.0

Related Weaknesses (CWE)

CWE-354

References

FAQ

What is CVE-2020-26896?

CVE-2020-26896 is a vulnerability with a CVSS score of 8.2 (HIGH). Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-c...

How severe is CVE-2020-26896?

CVE-2020-26896 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26896?

Check the references section above for vendor advisories and patch information. Affected products include: Lightning Network Daemon Project Lightning Network Daemon.