CVE-2026-3192 - Vulnerability Details

- Chia Blockchain RPC Credential rpc_server_base.py _authenticate improper authentication

Description

A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security".

Published: 2026-02-25

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the _authenticate function of rpc_server_base.py within Chia Blockchain’s RPC Credential Handler. An attacker can manipulate input to bypass authentication checks, gaining unauthorized access to the node’s RPC interface. This enables the attacker to issue remote commands, read or modify configuration, and potentially control the node, thereby compromising confidentiality, integrity, and availability of data managed by the blockchain system. The weakness aligns with CWE-287 and CWE-306.

Affected Systems

Chia Blockchain 2.1.0 released by Chia. No other versions listed; the issue was identified in this specific release only.

Risk and Exploitability

The CVSS score of 6.3 denotes a moderate risk, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability can be exploited remotely, but the attack requires high complexity and is difficult to carry out, as noted by the vendor. The issue is not yet listed in the CISA KEV catalog. Attackers would need to reach the RPC port, manipulate the _authenticate call, and rely on the absence of proper credential checks, which opens the system to unauthorized actions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Chia

Blockchain

affected

Version	Status	Constraints
`2.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:chia:blockchain:2.1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Chia

Blockchain

100%

Version	Status	Scheme	Platform
`2.1.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest official patch for Chia Blockchain when it becomes available.
Restrict RPC access by configuring the node to bind only to localhost or a protected internal network and enforce firewall rules to limit external exposure.
Monitor RPC logs for suspicious authentication attempts and alert on repeated failures to ensure timely detection of potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 10:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00277.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Danimlzg/chia-rpc-auth-bypass.git
https://vuldb.com/?ctiid.347748
https://vuldb.com/?id.347748

History

Thu, 05 Mar 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
CPEs		cpe:2.3:a:chia:blockchain:2.1.0:::::::*

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chia Chia blockchain
Vendors & Products		Chia Chia blockchain

Thu, 26 Feb 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security".
Title		Chia Blockchain RPC Credential rpc_server_base.py _authenticate improper authentication
Weaknesses		CWE-287
References		https://github.com/Danimlzg/chia-rpc-auth-bypass.git https://vuldb.com/?ctiid.347748 https://vuldb.com/?id.347748
Metrics		cvssV2_0 `{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Chia Blockchain

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-25T16:02:12.515Z

Updated: 2026-02-25T20:19:14.151Z

Reserved: 2026-02-25T09:35:35.743Z

Link: CVE-2026-3192

Vulnrichment

Updated: 2026-02-25T20:19:03.624Z

NVD

Status : Analyzed

Published: 2026-02-25T17:25:42.713

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3192

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object