CVE-2021-39168

CVE-2021-39168 is a critical-severity vulnerability in Openzeppelin Contracts with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-269.

Key facts

Description

OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.

Frequently asked questions

What is CVE-2021-39168?
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
How severe is CVE-2021-39168?
CVE-2021-39168 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-39168 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (73rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-39168?
CVE-2021-39168 affects Openzeppelin Contracts. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-39168?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2021-39168 published?
CVE-2021-39168 was published on 2021-08-27 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Openzeppelin Contracts

All CVEs affecting Openzeppelin Contracts →

Other CWE-269 (Improper Privilege Management) vulnerabilities

Browse all CWE-269 (Improper Privilege Management) vulnerabilities →