CVE-2026-31309

Mysterium Network · Mysterium Node

An improper authorization vulnerability in the Mysterium Node configuration endpoint allows unauthenticated attackers to overwrite node settings and achieve full takeover.

Executive summary

An improper authorization flaw in Mysterium Node allows unauthenticated remote attackers to achieve full node takeover via crafted configuration requests.

Vulnerability

The vulnerability exists in the /tequilapi/config/user endpoint, which fails to perform proper authorization checks. This allows an unauthenticated attacker to send a crafted POST request to overwrite the node's configuration, leading to a complete compromise of the node.

Business impact

With a CVSS score of 7.5 (High), this vulnerability represents a significant risk to infrastructure integrity. A successful exploit grants an attacker full control over the node, which could be leveraged for unauthorized network participation, lateral movement, or data exfiltration. The lack of authentication requirements makes this highly susceptible to automated exploitation.

Remediation

Immediate Action: Upgrade all instances of Mysterium Node to version v1.36.0 or later immediately.

Proactive Monitoring: Review access logs for the /tequilapi/config/user endpoint for unauthorized POST requests or unexpected changes to node configuration files.

Compensating Controls: Restrict network access to the node's management interface using firewalls or VPNs to ensure only authorized administrative traffic can reach the API.

Exploitation status

Public Exploit Available: Yes (A public proof-of-concept is available via GitHub).

Analyst recommendation

The combination of an unauthenticated attack vector and the availability of a public proof-of-concept necessitates immediate remediation. Administrators must treat this as a high-priority update to prevent unauthorized node takeover.