Donate Telegram

CVE-2026-3194

LOW CVSS 4.0: 2.0 EPSS 0.06%

Feb 25, 2026

Updated Feb 25, 2026

Chia

Parameter	Value
CVSS	2.0 (LOW)
Type	CWE-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function)
Vendor	Chia
Public PoC	No

A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication.

The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult.

The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design.

The user is responsible for host security".

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

High

Difficult to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-287 Improper Authentication

CWE-306 Missing Authentication for Critical Function

References 4

https://github.com/Danimlzg/chia-rpc-auth-bypass.git

https://vuldb.com/?ctiid.347750

https://vuldb.com/?id.347750

https://vuldb.com/?submit.757201

Share Post Share Share Share

CVE Details

CVE ID

CVE-2026-3194

Published Date

Feb 25, 2026

Vendor

Chia

Severity

LOW

CVSS v4.0 Score

2.0

Low severity. Standard update cycle.

Exploit Prediction (EPSS)

Probability of Exploit 0.06%

Likelihood of exploitation in next 30 days

Percentile: 17.9th percentile (higher than 17.9% of all CVEs)

Standard patching cycle

Impact

Partial data disclosure

Partial data modification

Partial service disruption

Source

Editor's Choice