Xaman
    Mandatory Security Update

    Security Advisory:
    Critical App Update Required

    Transaction Integrity  •  Secure Signing  •  XRPL Protection

    A critical vulnerability has been identified in older versions of Xaman that may affect transaction preview accuracy. Update immediately to ensure your XRPL transactions are verified and signed correctly.

    Release Information

    Versionv2.9.1Release DateApril 1, 2026Release Notes
    • Improved transaction verification
    • Security fixes
    • XRPL signing improvements

    Update Overview

    • No loss of funds — your balance remains untouched
    • Your wallet remains fully intact
    • Your keys are secure and protected
    • Improves transaction reliability and signing accuracy

    Before You Start

    • Back up your Secret Numbers before updating
    • Never share your credentials with anyone
    • Update via official app stores only
    • Avoid APK downloads from third-party sources

    Security Advisory Details

    Summary

    A vulnerability was identified in the transaction preview mechanism of Xaman, potentially allowing manipulated transaction details to be displayed to users before signing.

    What Happened

    A flaw in the transaction preview rendering could allow specially crafted payloads to display incorrect transaction details, misleading users into approving unintended operations.

    Risk

    Users on older versions may unknowingly approve transactions that differ from what is displayed on screen, leading to potential loss of assets.

    Why This Update Is Required

    • Prevents manipulated transactions from being approved
    • Strengthens the transaction verification layer
    • Improves XRPL interaction security and reliability

    Who Is at Risk

    • Users running older app versions (pre-v2.9.1)
    • Active XRPL users transacting regularly
    • dApp users interacting with third-party payloads

    Step-by-Step Update Guide

    1. 1Open the App Store (iOS) or Google Play Store (Android)
    2. 2Search for "Xaman"
    3. 3Tap "Update" to install the latest version
    4. 4Relaunch the app and verify the updated version

    Indicators of Compromise (IOCs)

    Contact support immediately if you observe:

    • Transactions you do not recognize
    • Approvals you do not remember confirming
    • Sudden token allowance changes or "infinite approval" you didn't set
    • New sessions/connected dApps you didn't authorize
    • Device prompts that look unfamiliar or rushed, especially those pushing updates

    What We Are Doing to Protect You

    We are implementing the following security measures:

    • Mandatory firmware integrity enforcement for all devices on impacted versions
    • Improved release signing and verification to reduce supply-chain risk
    • Expanded internal auditing around the signing pipeline and transaction parsing
    • A permanent improvement to our incident response posture including faster rollout and clearer security bulletins

    If you experienced losses, we will provide a structured support process to help you document impacted transactions and share required information safely.

    Mandatory Security Update v2.9.1

    A vulnerability in the previous version could allow unauthorized signature injection under specific conditions. Update to v2.9.1 now using the official app stores. The updater will never request your recovery phrase.

    Frequently Asked Questions

    Will I lose my assets during the update?

    No. Your wallet remains intact after the upgrade. Your accounts and keys are not re-created. However, if you updated to the impacted version and suspect compromise, you should move assets to a fresh wallet as a precaution.

    Will the updater ask for my recovery phrase?

    Never. The official updater will never ask for your seed phrase or recovery words. If anything requests your recovery phrase, it is a scam. Close it immediately.

    What if I already updated to the impacted version?

    Update to v2.9.1 immediately. After updating, run the integrity check. Then move funds to a fresh wallet (new seed), generate new addresses, revoke dApp permissions, and review recent transactions on an independent block explorer.

    How long does the update take?

    The update takes approximately 2 minutes. Do not close the app during the update process. Make sure your device remains powered on.

    Can I downgrade after updating?

    No. Downgrades are not supported for safety reasons. Once you update to v2.9.1, you cannot revert to a previous version.

    Critical Security Warning

    Xaman will NEVER ask you for your Secret Numbers, recovery phrase, or private keys — not through the app, email, or any support channel.

    Any request for this information is a scam. Report it immediately.