Platform
python
Component
chia-blockchain
Fixed in
2.1.1
A cross-site request forgery (CSRF) vulnerability has been identified in Chia Blockchain versions 2.1.0. This flaw impacts an unknown function within the /send_transaction endpoint, allowing a remote attacker to potentially trigger unwanted actions. While the exploitability is considered difficult and requires a high level of complexity, the vulnerability is now public. Users are advised to implement robust host security measures.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized transactions. An attacker could craft malicious requests that, if a user is authenticated and interacts with a compromised Chia Blockchain interface, could result in the transfer of funds or other unintended actions. The vulnerability's high complexity requirement suggests that exploitation would likely necessitate social engineering or a sophisticated attack chain to trick a user into unknowingly executing the malicious request. The "by design" rejection from the bug bounty program highlights the vendor's perspective that host security is the user's responsibility, emphasizing the need for careful user awareness and secure configuration.
The vulnerability is publicly disclosed and a proof-of-concept may be available. The vendor was notified early, but a bug bounty report was rejected, indicating a design decision placing responsibility on the user for host security. The CVE was published on 2026-02-25. The CVSS score is LOW, reflecting the difficulty of exploitation.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
Due to the absence of a direct patch, mitigation focuses on strengthening host security. Users should implement robust input validation and output encoding on the Chia Blockchain interface to prevent malicious requests from being processed. Employing Content Security Policy (CSP) headers can further restrict the sources from which scripts can be executed, reducing the attack surface. Regularly review and update security configurations, and educate users about the risks of phishing and other social engineering tactics. Consider implementing rate limiting on sensitive endpoints like /send_transaction to mitigate potential abuse.
Update to a version later than 2.1.0, if available, or implement additional security measures to mitigate the risk of CSRF attacks. Since the vendor considers this 'by design', an official fix may not be available. Consider disabling the affected functionality or implementing stricter access controls.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3193 is a cross-site request forgery (CSRF) vulnerability affecting the /send_transaction function in Chia Blockchain 2.1.0, allowing remote attackers to potentially trigger unauthorized transactions.
If you are running Chia Blockchain version 2.1.0 and have not implemented robust host security measures, you are potentially affected by this vulnerability.
A direct patch is not currently available. Mitigation involves implementing robust host security measures, such as input validation, CSP headers, and user education.
While exploitation is considered difficult, the vulnerability is publicly disclosed and a proof-of-concept may be available, so active exploitation is possible.
Refer to the Chia Blockchain project's official website and security advisories for updates and further information regarding CVE-2026-3193.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.