CVE-2026-3194
Received Received - Intake
Authentication Bypass in Chia Blockchain RPC Server (Local Attack

Publication date: 2026-02-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3194
EUVD
EUVD-2026-8699
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chia blockchain 2.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3194 is a vulnerability in Chia Blockchain version 2.1.0 affecting the RPC Server Master Passphrase Handler, specifically the functions send_transaction and get_private_key.'}, {'type': 'paragraph', 'content': "The flaw is due to missing authentication, allowing these critical functions to be accessed without verifying the user's identity, classified as CWE-306 (Missing Authentication for Critical Function)."}, {'type': 'paragraph', 'content': 'Exploitation requires local access to the host environment and is considered difficult due to high attack complexity.'}, {'type': 'paragraph', 'content': 'The vendor considers this behavior intentional, placing responsibility for host security on the user, and has rejected bug bounty reports on this basis.'}] [1, 2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized local processes to bypass authentication and access sensitive wallet functions.

An attacker with local access can invoke RPC endpoints such as send_transaction and get_private_key without providing the wallet passphrase.

This can lead to the 24-word seed phrase being exposed in plaintext, enabling complete wallet compromise.

Additionally, combined with other issues like CSRF and DNS rebinding attacks, remote attackers may steal funds.

Overall, the vulnerability threatens the confidentiality, integrity, and availability of the wallet and its funds.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the Chia Blockchain RPC Server Master Passphrase Handler, specifically the functions send_transaction and get_private_key, which lack proper authentication and can be accessed locally.

Detection involves verifying if the RPC server is running with default or missing RPC credentials, which causes the _authenticate() function to always return true, allowing unauthenticated access.

You can check if the RPC server is listening on the local ports (commonly 9256 or 8555) and attempt to invoke sensitive RPC endpoints locally to see if authentication is enforced.

  • Use netstat or ss to check listening ports: `netstat -tulnp | grep 9256` or `ss -tulnp | grep 9256`
  • Use curl or similar tools locally to test RPC endpoints without authentication, for example: `curl -X POST http://localhost:9256/send_transaction` or `curl -X POST http://localhost:9256/get_private_key`

If these commands succeed without requiring authentication or passphrase, the system is vulnerable.

Mitigation Strategies

As of the latest information, no official fix or patch has been released for this vulnerability in Chia Blockchain versions 2.1.0 through 2.5.6.

The vendor considers this behavior by design and places responsibility for host security on the user.

Immediate mitigation steps include:

  • Restrict local access to the host running the Chia Blockchain RPC server to trusted users only.
  • Ensure RPC credentials are configured and not left at default or empty settings to prevent unauthenticated access.
  • Limit network exposure by firewalling or blocking access to RPC server ports (e.g., 9256, 8555) from untrusted networks.
  • Monitor and audit local processes to detect any unauthorized attempts to invoke sensitive RPC endpoints.
  • Consider using alternative products or versions if security is a critical concern, as no patches are currently available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart