Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Endpoint enforces no authorization so PR:N/AC:L, exploitable over the network with a single POST (AV:N/UI:N); config overwrite yields full node control, so C:H/I:H/A:H.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
Improper authorization in the /tequilapi/config/user endpoint of Mysterium Node before v1.36.0 allows unauthenticated attackers to arbitrarily overwrite the node's configuration and achieve a full node takeover via supplying a crafted POST request.
AnalysisAI
Full node takeover in Mysterium Node before v1.36.0 is possible because the /tequilapi/config/user endpoint enforces no authorization (CWE-862), letting remote unauthenticated attackers submit a crafted POST request to arbitrarily overwrite the node's configuration. Because the local TequilAPI management interface shipped enabled and unsecured by default, an attacker who can reach the API can seize complete control of the node. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The concrete prerequisite is network reachability of the node's TequilAPI HTTP interface and specifically its /tequilapi/config/user endpoint, which pre-1.36.0 was served without authorization; on mobile/provider builds TequilAPI was enabled but not secured by default, which is the exact condition that exposes the endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for exposed Mysterium Node TequilAPI instances and sends a single crafted POST to /tequilapi/config/user with no credentials, overwriting the node's configuration to values of their choosing. Because a public PoC exists (sch8ill/CVE-2026-31309) and CVSS reports AV:N/AC:L/PR:N/UI:N, this requires no authentication, no user interaction, and low complexity, enabling scripted mass exploitation of any internet-reachable node. |
| Remediation | Vendor-released patch: upgrade to Mysterium Node v1.36.0 or later (https://github.com/mysteriumnetwork/node/releases/tag/1.36.0), which secures TequilAPI by default and closes the unauthorized configuration write; the relevant fix commits are 83051199cd641dd4ed9057b958e5616df1309f19 and bc099fcaff59fee9c8a8f8e07ffff5b3c5df2bb9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Mysterium Node instances in your environment and confirm which versions are below v1.36.0; determine if TequilAPI endpoints are exposed to untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42495
GHSA-p7gf-g6r8-g65h