CVE-2026-40069

CVE-2026-40069 is a high-severity security vulnerability in bsv-sdk (rubygems), affecting versions >= 0.1.0, < 0.8.2. It is fixed in 0.8.2.

Summary

ARC broadcaster treats failure statuses as successful broadcasts

BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network.

Details

lib/bsv/network/arc.rb (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises:

  • INVALID
  • MALFORMED
  • MINED_IN_STALE_BLOCK
  • Any response containing ORPHAN in extraInfo or txStatus

The Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts.

Additional divergences in the same module compound the risk:

  • Content-Type is sent as application/octet-stream; the TS reference sends application/json with a { rawTx: <hex> } body (EF form where source transactions are available).
  • The headers XDeployment-ID, X-CallbackUrl, and X-CallbackToken are not sent.

The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance.

CVSS rationale

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N7.5 (High)

  • AV:N, network-reachable.
  • AC:L, no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window, the bug is that the code path doesn't exist at all.
  • PR:N, no privileges required.
  • UI:N, no user interaction.
  • C:N, no confidentiality impact.
  • I:H, downstream integrity decisions are taken on non-broadcast transactions.
  • A:N, no availability impact.

Affected versions

The ARC broadcaster was introduced in commit a1f2e62 ("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in v0.1.0. The narrow failure predicate has been present since introduction. Every release up to and including v0.8.1 is affected.

Affected range: >= 0.1.0, < 0.8.2.

Note for bsv-wallet consumers

The sibling gem bsv-wallet (published from the same repository) is not independently vulnerable, lib/bsv/network/arc.rb is not bundled into the wallet gem's files list. However, bsv-wallet runtime-depends on bsv-sdk, so a consumer of bsv-wallet that also invokes the ARC broadcaster is transitively exposed whenever Gemfile.lock resolves to a vulnerable bsv-sdk version. bsv-wallet >= 0.3.4 tightens its bsv-sdk constraint to >= 0.8.2, < 1.0, so upgrading either gem is sufficient to pull in the fix.

Workarounds

If upgrading is not immediately possible:

  • Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast.
  • Do not gate integrity-critical actions solely on the ARC broadcaster's success response.

Credit

Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13.

References

Impact

Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success, releasing goods, marking invoices paid, treating a token as minted, progressing a workflow, are tricked into trusting transactions that were never broadcast.

This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability.

CVE-2026-40069 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.8.2); upgrading removes the vulnerable code path.

Affected versions

bsv-sdk (>= 0.1.0, < 0.8.2)

Security releases

bsv-sdk → 0.8.2 (rubygems)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade to bsv-sdk >= 0.8.2. The fix:

  • Expands the failure predicate (REJECTED_STATUSES + ORPHAN substring check on both txStatus and extraInfo) to include INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and any orphan-containing response, matching the TypeScript reference.
  • Switches Content-Type to application/json with a { rawTx: <hex> } body, preferring Extended Format (BRC-30) hex when every input has source_satoshis and source_locking_script populated and falling back to plain raw-tx hex otherwise.
  • Adds support for the XDeployment-ID (default: random bsv-ruby-sdk-<hex>), X-CallbackUrl, and X-CallbackToken headers via new constructor keyword arguments.

Fixed in sgbett/bsv-ruby-sdk#306.

Frequently Asked Questions

  1. What is CVE-2026-40069? CVE-2026-40069 is a high-severity security vulnerability in bsv-sdk (rubygems), affecting versions >= 0.1.0, < 0.8.2. It is fixed in 0.8.2.
  2. How severe is CVE-2026-40069? CVE-2026-40069 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of bsv-sdk are affected by CVE-2026-40069? bsv-sdk (rubygems) versions >= 0.1.0, < 0.8.2 is affected.
  4. Is there a fix for CVE-2026-40069? Yes. CVE-2026-40069 is fixed in 0.8.2. Upgrade to this version or later.
  5. Is CVE-2026-40069 exploitable, and should I be worried? Whether CVE-2026-40069 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40069 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40069? Upgrade bsv-sdk to 0.8.2 or later.

Other vulnerabilities in bsv-sdk

CVE-2026-40069

Stop the waste.
Protect your environment with Kodem.