Insufficient Verification of Data Authenticity Affecting zebrad package, versions <5.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-ZEBRAD-17872176
  • published6 Jul 2026
  • disclosed6 Jul 2026
  • creditUnknown

Introduced: 6 Jul 2026

NewCVE-2026-54496  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade zebrad to version 5.0.0 or higher.

Overview

zebrad is a The Zcash Foundation's independent, consensus-compatible implementation of a Zcash node

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the assign_advice process. An attacker can bypass circuit soundness and authorize unauthorized spends or double-spend notes by providing crafted private circuit inputs that exploit the lack of constraints on the base value. This allows repeated spending of the same note with distinct nullifiers or unauthorized spending of existing notes if the attacker knows the corresponding incoming viewing key. Exploitation is undetectable on-chain and only requires setting specific private inputs.

References

CVSS Base Scores

version 4.0
version 3.1