CVE-2026-3194

MEDIUM 4.5

Chia Blockchain RPC Server Master Passphrase get_private_key missing authentication

CVSS Score

4.5

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security".

CWE	CWE-306 CWE-287
Vendor	chia
Product	blockchain
Published	Feb 25, 2026
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for chia blockchain

Be the first to know when new medium vulnerabilities affecting chia blockchain are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Chia / Blockchain

2.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.347750 vuldb.com: https://vuldb.com/?ctiid.347750 vuldb.com: https://vuldb.com/?submit.757201 github.com: https://github.com/Danimlzg/chia-rpc-auth-bypass.git

Credits

🔍 DeSneake (VulDB User)