CVE-2020-26896

Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collision with an invoice, the preimage for an expected payment was instead released. A malicious peer could have deliberately intercepted an HTLC intended for the victim node, probed the preimage through a colluding relayed HTLC, and stolen the intercepted HTLC. The impact is a loss of funds in certain situations, and a weakening of the victim's receiver privacy.

Published: Oct 21, 2020
Updated: Nov 16, 2025
CVE: CVE-2020-26896
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.2
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-354

Affected Software
References

Software	From	Fixed in
lightning_network_daemon_project / lightning_network_daemon	-	0.11.0
lightning_network_daemon_project / lightning_network_daemon	0.11.0	0.11.0.x
lightning_network_daemon_project / lightning_network_daemon	0.11.0-beta_rc1	0.11.0-beta_rc1.x
lightning_network_daemon_project / lightning_network_daemon	0.11.0-beta_rc2	0.11.0-beta_rc2.x
lightning_network_daemon_project / lightning_network_daemon	0.11.0-beta_rc3	0.11.0-beta_rc3.x
lightning_network_daemon_project / lightning_network_daemon	0.11.0-beta_rc4	0.11.0-beta_rc4.x

Vulnerability Database

318,638

CVE-2020-26896

Deep Security Visibility Without the Complexity