| Title | Chia Network Chia Blockchain Chia Blockchain 2.1.0 (confirmed vulnerable) Later versions (2.2.0 - 2.5.6) presumed vulnerable - no fix released Authentication Bypass/CSRF/Cryptographic Issue |
|---|
| Description | The Chia RPC server (rpc_server_base.py) contains multiple critical vulnerabilities:
1. Authentication Bypass: If no RPC credentials are set (default), _authenticate() returns True for all requests.
2. CSRF: No CORS headers or origin validation. A malicious website can send POST requests to localhost:9256/8555. The browser blocks reading the response, but the wallet executes the command.
3. Master Passphrase Bypass: The RPC server ignores the wallet's locked state. Any local process with access to the mTLS certificates can call /send_transaction and /get_private_key without the passphrase, returning the 24-word seed in plain text.
Impact:
- Remote theft of funds via CSRF + DNS Rebinding
- Local malware can drain wallets and exfiltrate seeds without passphrase
- Complete account takeover
Reported to Chia Network via HackerOne (#3524400). Vendor closed as "Informative" with the note: "This is by design. The user is responsible for host security."
No CVE assigned. Full documentation and PoC videos available. |
|---|
| Source | ⚠️ https://github.com/Danimlzg/chia-rpc-auth-bypass.git |
|---|
| User | DeSneake (UID 95539) |
|---|
| Submission | 02/12/2026 14:13 (2 months ago) |
|---|
| Moderation | 02/25/2026 10:35 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 347750 [Chia Blockchain 2.1.0 RPC Server Master Passphrase send_transaction/get_private_key missing authentication] |
|---|
| Points | 20 |
|---|