{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3193", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-25T09:35:41.634Z", "datePublished": "2026-02-25T16:32:08.589Z", "dateUpdated": "2026-02-27T18:20:18.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-25T16:32:08.589Z"}, "title": "Chia Blockchain send_transaction cross-site request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "Cross-Site Request Forgery"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "Missing Authorization"}]}], "affected": [{"vendor": "Chia", "product": "Blockchain", "versions": [{"version": "2.1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason \"This is by design. The user is responsible for host security\"."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-25T10:40:51.000Z", "lang": "en", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.347749", "name": "VDB-347749 | Chia Blockchain send_transaction cross-site request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.347749", "name": "VDB-347749 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/Danimlzg/chia-rpc-auth-bypass.git", "tags": ["broken-link", "exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T18:20:10.570700Z", "id": "CVE-2026-3193", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:20:18.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3193", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T18:20:10.570700Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:20:14.520Z"}}], "cna": {"title": "Chia Blockchain send_transaction cross-site request forgery", "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Chia", "product": "Blockchain", "versions": [{"status": "affected", "version": "2.1.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-25T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-25T10:40:51.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.347749", "name": "VDB-347749 | Chia Blockchain send_transaction cross-site request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.347749", "name": "VDB-347749 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/Danimlzg/chia-rpc-auth-bypass.git", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason \"This is by design. The user is responsible for host security\"."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-25T16:32:08.589Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3193", "state": "PUBLISHED", "dateUpdated": "2026-02-27T18:20:18.500Z", "dateReserved": "2026-02-25T09:35:41.634Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-25T16:32:08.589Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chia:blockchain:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6FF3B0E2-5398-4EEF-8EF1-EF9BF237FC95", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason \"This is by design. The user is responsible for host security\"."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en Chia Blockchain 2.1.0. Afectada es una funci\u00f3n desconocida del archivo /send_transaction. La manipulaci\u00f3n resulta en falsificaci\u00f3n de petici\u00f3n en sitios cruzados. El ataque puede ser realizado desde remoto. El ataque requiere un alto nivel de complejidad. La explotabilidad es considerada dif\u00edcil. El exploit es ahora p\u00fablico y puede ser usado. El proveedor fue informado temprano v\u00eda correo electr\u00f3nico. Un informe separado v\u00eda bugbounty fue rechazado con la raz\u00f3n 'Esto es por dise\u00f1o. El usuario es responsable de la seguridad del host'."}], "id": "CVE-2026-3193", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-25T17:25:42.937", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Danimlzg/chia-rpc-auth-bypass.git"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.347749"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.347749"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Blockchain", "source": "cna", "vendor": "Chia"}, "product": "blockchain", "vendor": "chia"}], "analysis": {"en": {"generated_at": "2026-04-16T16:12:13.268389+00:00", "value": {"mitigation_remediation": ["Restrict access to the Chia Blockchain RPC interface to trusted internal networks or use a VPN.", "Configure the RPC service to require authentication tokens or client certificates to prevent unauthenticated requests.", "Monitor for unexpected transaction activity and enable logging of RPC calls to detect potential CSRF attempts."], "summary": {"action": "Assess Impact", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Chia Blockchain client, specifically version 2.1.0. No other versions are listed as affected, and the vendor has not reported additional impacted releases.", "description_and_impact": "An attacker can submit crafted requests to the /send_transaction endpoint of Chia Blockchain, leading to unauthorized execution of blockchain transactions. The flaw is a cross\u2011site request forgery that allows a malicious actor to make the node perform actions on behalf of a legitimate user or owner of that node. While the vulnerability is hard to exploit and requires sophisticated manipulation, it could compromise the integrity of the blockchain if successful, allowing fraudulent transfers.", "risk_and_exploitability": "The CVSS score of 2.3 indicates a low overall severity. The EPSS score of less than 1% shows that the likelihood of exploitation is very small at present. The vulnerability has not been identified as a known exploited vulnerability by CISA. The attack requires remote access to the node\u2019s RPC endpoint, and the exploitation is considered difficult, but since the exploit is public, the risk remains moderate as it could be leveraged by determined attackers with sufficient knowledge."}}}}, "created": "2026-02-26T13:15:20.775691+00:00", "updated": "2026-04-16T16:15:08.475879+00:00", "vendors": ["chia", "chia$PRODUCT$blockchain"]}