CVE-2026-3194 — MEDIUM (4.5)

Vulnerability Description

A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security".

CVSS Score

4.5

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Chia	Blockchain	2.1.0

Related Weaknesses (CWE)

CWE-306 CWE-287

References

https://github.com/Danimlzg/chia-rpc-auth-bypass.gitExploitThird Party Advisory
https://vuldb.com/?ctiid.347750Permissions RequiredVDB Entry
https://vuldb.com/?id.347750Third Party AdvisoryVDB Entry
https://vuldb.com/?submit.757201Third Party AdvisoryVDB Entry

FAQ

What is CVE-2026-3194?

CVE-2026-3194 is a vulnerability with a CVSS score of 4.5 (MEDIUM). A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes mi...

How severe is CVE-2026-3194?

CVE-2026-3194 has been rated MEDIUM with a CVSS base score of 4.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-3194?

Check the references section above for vendor advisories and patch information. Affected products include: Chia Blockchain.