CVE-2026-31309

Source
https://cve.org/CVERecord?id=CVE-2026-31309
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31309.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31309
Published
2026-07-08T00:00:00Z
Modified
2026-07-16T03:48:20.415478825Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Improper authorization in the /tequilapi/config/user endpoint of Mysterium Node from v1.21.1-rc0 before v1.36.0 allows an unauthenticated attacker to arbitrarily overwrite the node's configuration and achieve a full node takeover via a crafted POST request.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31309.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/mysteriumnetwork/node

Affected ranges

Type
GIT
Repo
https://github.com/mysteriumnetwork/node
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "v1.21.1-rc0"
        },
        {
            "fixed": "v1.36.0"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.21.1-rc0
1.22.0
1.22.1
1.23.0
1.24.0
1.24.0-rc15
1.25.0
1.25.1
1.25.2
1.25.3
1.25.4
1.25.5
1.26.0
1.27.0
1.28.0
1.29.0
1.29.1
1.29.10
1.29.11
1.29.12
1.29.13
1.29.14
1.29.15
1.29.16
1.29.17
1.29.18
1.29.19
1.29.2
1.29.2-rc1
1.29.2-rc2
1.29.2-rc3
1.29.2-rc4
1.29.20
1.29.21
1.29.22
1.29.23
1.29.3
1.29.4
1.29.5
1.29.6
1.29.7
1.29.8
1.29.9
1.29.9-rc1
1.30.0
1.30.1
1.30.2
1.30.3
1.31.0
1.31.1
1.31.2
1.31.3
1.31.4
1.32.0
1.32.1
1.32.2
1.32.3
1.33.0
1.33.1
1.33.10
1.33.2
1.33.4
1.33.5
1.33.6
1.33.7
1.33.8
1.33.9
1.34.0
1.34.1
1.35.0
1.35.1
1.35.2
1.35.3
1.35.4
1.35.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31309.json"