平台
python
组件
chia-rpc-auth-bypass
修复版本
2.1.1
A security vulnerability has been identified in Chia Blockchain version 2.1.0, specifically within the RPC Credential Handler component. This improper authentication issue allows for manipulation, potentially leading to unauthorized access. The vulnerability impacts Chia Blockchain 2.1.0 and requires remote access to exploit. While a fix is pending, mitigation strategies are available.
The vulnerability lies in the authenticate function of rpcserver_base.py, allowing attackers to bypass authentication mechanisms. Successful exploitation could grant an attacker unauthorized access to the Chia Blockchain node, potentially enabling them to control the blockchain, steal funds, or disrupt operations. The high complexity suggests the attack requires specific knowledge of the system and potentially crafted input to bypass authentication checks. While the vendor considers this behavior by design, the potential for misuse remains a significant concern.
This vulnerability was publicly disclosed on 2026-02-25. A proof-of-concept exploit is available, indicating a moderate risk of exploitation. The vendor was notified early but rejected a bug bounty report, citing the behavior as intentional. The vulnerability is not currently listed on CISA KEV, but its public disclosure and available exploit warrant close monitoring.
Chia Blockchain node operators, particularly those running version 2.1.0 without robust host security measures, are at risk. Shared hosting environments where multiple users share a single Chia Blockchain instance are also particularly vulnerable, as an attacker compromising one user's account could potentially exploit this vulnerability to gain access to the entire node.
• python / server:
import os
import subprocess
def check_rpc_auth():
try:
# Attempt to connect to the RPC interface without credentials
result = subprocess.run(['chia-blockchain', 'rpc', '--help'], capture_output=True, text=True, check=True)
print("Potential vulnerability: RPC interface accessible without credentials.")
except subprocess.CalledProcessError as e:
print(f"RPC interface check failed: {e}")
check_rpc_auth()• generic web:
curl -I http://<chia_blockchain_ip>:8444/rpcExamine the response headers for any unusual authentication-related fields.
disclosure
漏洞利用状态
EPSS
0.24% (47% 百分位)
CISA SSVC
CVSS 向量
Due to the lack of a direct patch, mitigation focuses on hardening the host environment. Implement strong firewall rules to restrict access to the Chia Blockchain RPC interface. Regularly review and update access control lists to minimize the attack surface. Consider implementing multi-factor authentication (MFA) for all administrative accounts accessing the Chia Blockchain node. Monitor system logs for suspicious activity related to authentication attempts. While a formal detection signature is unavailable, monitor for unusual RPC requests and authentication failures.
升级到 Chia Blockchain 2.1.0 之后的版本。如果无法升级,请检查 RPC 身份验证配置,并确保其已正确配置以避免未经授权的访问。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3192 is a medium-severity vulnerability in Chia Blockchain 2.1.0 that allows remote attackers to manipulate authentication, potentially gaining unauthorized access.
If you are running Chia Blockchain version 2.1.0, you are potentially affected by this vulnerability. Upgrade to a patched version when available.
A direct patch is currently unavailable. Mitigate by hardening the host environment with firewalls, access control lists, and MFA.
A proof-of-concept exploit is publicly available, indicating a potential risk of active exploitation.
Refer to the Chia Blockchain official website and security advisories for updates and further information regarding CVE-2026-3192.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。