CVE-2026-34210 MEDIUM

CVE-2026-34210: mppx has Stripe charge credential replay via missing idempotency check

Vendor Wevm

Product mppx

Weakness CWE-697

Published March 31, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

6.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

Key dates

02Disclosure timeline

March 31, 2026 CVE published

March 31, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34210 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/697.html

Related vulnerabilities

CVE-2026-34210: mppx has Stripe charge credential replay via missing idempotency check

01Description

02Disclosure timeline

03References

04Related CVE