GHSA-QR2G-P6Q7-W82M: GHSA-qr2g-p6q7-w82m: Critical Payment Verification Bypass in Coinbase x402 SDK (Solana)

GHSA-qr2g-p6q7-w82m: Critical Payment Verification Bypass in Coinbase x402 SDK (Solana) Vulnerability ID: GHSA-QR2G-P6Q7-W82M CVSS Score: 9.9 Published: 2026-03-07 A critical vulnerability exists in the Coinbase x402 SDK affecting the verification of Solana (SVM) payments. The flaw is located in the facilitator component, which acts as an intermediary for validating automated HTTP 402 payments. Due to improper verification of Ed25519 cryptographic signatures in the Solana implementation, an attacker can bypass payment requirements. This allows unauthorized access to monetized APIs, compute resources, or digital goods without settling the required transaction on the blockchain. The vulnerability specifically affects the @x402/svm npm package, the x402 PyPI package, and the Go SDK. TL;DR The Coinbase x402 SDK contains a critical flaw in its Solana payment verification logic. Attackers can spoof payment signatures to bypass fees for APIs and services using the protocol. This affects versi