Platform
other
Component
chia-rpc-auth-bypass
Fixed in
2.1.1
CVE-2026-3194 describes a vulnerability in Chia Blockchain versions 2.1.0. This flaw involves a missing authentication check within the RPC Server Master Passphrase Handler, specifically the sendtransaction/getprivate_key function. Successful exploitation could lead to unauthorized access and potential compromise of the blockchain node. The vendor has been notified, and a public exploit is available.
The core impact of CVE-2026-3194 lies in the potential for unauthorized access to private keys. An attacker with local access to a Chia Blockchain node running version 2.1.0 can exploit this missing authentication check to retrieve private keys. This could allow them to forge transactions, steal funds, or otherwise manipulate the blockchain. The vulnerability's local execution requirement limits its immediate scope, but it significantly increases the risk for systems where local access is readily available, such as compromised servers or developer workstations. While the vendor considers this 'by design' regarding host security, the lack of authentication presents a clear attack vector.
CVE-2026-3194 has a public proof-of-concept available, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2026-02-25. The vendor's rejection of the bug bounty report, citing 'by design,' suggests a deliberate architectural choice that may not fully account for potential security implications. The vulnerability is not currently listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3194 is to upgrade to a patched version of Chia Blockchain. As no fixed version is specified in the provided data, it's crucial to monitor the official Chia Blockchain channels for updates. In the interim, restrict local access to the Chia Blockchain node to trusted users and processes. Implement robust host-based security controls, including strong passwords, multi-factor authentication, and regular security audits. Consider using containerization or virtualization to isolate the Chia Blockchain node from the host system, limiting the potential impact of a successful exploit.
Update to a version later than 2.1.0 or implement additional security measures to protect local access to the RPC server. Since the vendor considers host security to be the user's responsibility, it is strongly recommended to restrict local access to the RPC server and monitor for suspicious activity.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3194 is a medium severity vulnerability in Chia Blockchain 2.1.0 where a missing authentication check in the RPC Server Master Passphrase Handler allows local manipulation.
If you are running Chia Blockchain version 2.1.0, you are potentially affected by this vulnerability. Monitor official Chia Blockchain channels for updates.
The recommended fix is to upgrade to a patched version of Chia Blockchain. Check the official Chia Blockchain channels for the latest release.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the official Chia Blockchain website and security advisories for the most up-to-date information regarding CVE-2026-3194.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.