Platform
other
Component
chia-rpc-auth-bypass
Opgelost in
2.1.1
CVE-2026-3194 describes a vulnerability in Chia Blockchain versions 2.1.0. This flaw involves a missing authentication check within the RPC Server Master Passphrase Handler, specifically the sendtransaction/getprivate_key function. Successful exploitation could lead to unauthorized access and potential compromise of the blockchain node. The vendor has been notified, and a public exploit is available.
The core impact of CVE-2026-3194 lies in the potential for unauthorized access to private keys. An attacker with local access to a Chia Blockchain node running version 2.1.0 can exploit this missing authentication check to retrieve private keys. This could allow them to forge transactions, steal funds, or otherwise manipulate the blockchain. The vulnerability's local execution requirement limits its immediate scope, but it significantly increases the risk for systems where local access is readily available, such as compromised servers or developer workstations. While the vendor considers this 'by design' regarding host security, the lack of authentication presents a clear attack vector.
CVE-2026-3194 has a public proof-of-concept available, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2026-02-25. The vendor's rejection of the bug bounty report, citing 'by design,' suggests a deliberate architectural choice that may not fully account for potential security implications. The vulnerability is not currently listed on CISA KEV as of this writing.
Chia Blockchain node operators, particularly those running version 2.1.0, are at risk. This includes individuals and organizations involved in cryptocurrency farming, blockchain development, and those hosting Chia Blockchain nodes on servers or developer workstations where local access is not strictly controlled.
disclosure
Exploit Status
EPSS
0.05% (15% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-3194 is to upgrade to a patched version of Chia Blockchain. As no fixed version is specified in the provided data, it's crucial to monitor the official Chia Blockchain channels for updates. In the interim, restrict local access to the Chia Blockchain node to trusted users and processes. Implement robust host-based security controls, including strong passwords, multi-factor authentication, and regular security audits. Consider using containerization or virtualization to isolate the Chia Blockchain node from the host system, limiting the potential impact of a successful exploit.
Actualiseer naar een versie later dan 2.1.0 of implementeer aanvullende beveiligingsmaatregelen om de lokale toegang tot de RPC-server te beschermen. Aangezien de leverancier beschouwt dat de beveiliging van de host de verantwoordelijkheid van de gebruiker is, wordt ten zeerste aanbevolen om de lokale toegang tot de RPC-server te beperken en verdachte activiteiten te monitoren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3194 is a medium severity vulnerability in Chia Blockchain 2.1.0 where a missing authentication check in the RPC Server Master Passphrase Handler allows local manipulation.
If you are running Chia Blockchain version 2.1.0, you are potentially affected by this vulnerability. Monitor official Chia Blockchain channels for updates.
The recommended fix is to upgrade to a patched version of Chia Blockchain. Check the official Chia Blockchain channels for the latest release.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the official Chia Blockchain website and security advisories for the most up-to-date information regarding CVE-2026-3194.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.