Executive Summary

CVE-2026-3193 is a cross-site request forgery (CSRF) vulnerability found in Chia Blockchain version 2.1.0, specifically affecting an unknown function within the /send_transaction endpoint.

This vulnerability occurs because the web application does not properly verify whether a request was intentionally made by the authenticated user, allowing attackers to remotely initiate unauthorized transactions without requiring authentication.

Exploitation requires some user interaction but can be performed remotely. A proof-of-concept exploit is publicly available.

The vendor was notified early but rejected a bug bounty report stating this behavior is by design and that users are responsible for their host security.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to remotely perform unauthorized transactions on your Chia Blockchain wallet without your consent.

Because the /send_transaction endpoint can be exploited via CSRF, attackers can trick users into executing transactions they did not intend, potentially leading to loss of funds.

The exploitability is considered difficult and requires user interaction, but a public proof-of-concept exists, increasing the risk.

No known mitigations or countermeasures have been provided, so users should consider replacing the affected component or securing their host environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /send_transaction endpoint of the Chia Blockchain RPC server for unauthorized transaction requests without proper authentication or CSRF protections.'}, {'type': 'paragraph', 'content': 'Commands using curl can be used to test if the RPC server accepts requests without authentication or CSRF tokens, for example:'}, {'type': 'list_item', 'content': 'Sending a transaction without passphrase using curl: curl -X POST https://localhost:9256/send_transaction --cert ~/.chia/mainnet/config/ssl/wallet/private_wallet.crt --key ~/.chia/mainnet/config/ssl/wallet/private_wallet.key -H "Content-Type: application/json" -d \'{"wallet_id": 1, "address": "txch1...", "amount": 1000, "fee": 0}\''}, {'type': 'list_item', 'content': 'Extracting the 24-word seed phrase without passphrase using curl: curl --insecure --cert ~/.chia/mainnet/config/ssl/wallet/private_wallet.crt --key ~/.chia/mainnet/config/ssl/wallet/private_wallet.key -d \'{"fingerprint": 3889508350}\' -H "Content-Type: application/json" -X POST https://localhost:9256/get_private_key'}, {'type': 'paragraph', 'content': 'Additionally, testing for CSRF can be done by attempting to send POST requests to the /send_transaction endpoint from a malicious webpage to see if transactions are executed without user consent.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

No official mitigations or countermeasures have been provided by the vendor for this vulnerability.

Immediate steps include considering replacing the affected component with an alternative product that does not have this vulnerability.

Users should ensure strict host security since the vendor considers this behavior by design and places responsibility on the user for host security.

Additionally, restricting network access to the RPC server ports (localhost:9256 and localhost:8555) and avoiding exposing these services to untrusted networks can help reduce risk.

Useful 0 Not Useful 0