External risk intelligence

Mysterium Node Configuration Takeover Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31309

The vulnerability exists in a node configuration API endpoint. Mysterium nodes are designed to function as decentralized network relays, which inherently requires them to be reachable via public internet endpoints to participate in the network, making this configuration service commonly exposed or accessible in standard deployments.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Mysterium Node software, specifically affecting its configuration endpoint. This flaw allows unauthenticated attackers to take full control of a node, potentially disrupting network services or enabling malicious activities. The primary concern is to determine if this software is in use and exposed to external networks.

  • Unauthenticated access can seize node control.
  • Critical to confirm software relevance and exposure.
  • Assess impact; confirm operational relevance now.

Attack Path

How an attacker could exploit the issue

An attacker can target the Mysterium Node's configuration API over the network. By sending a specially crafted POST request to the `/tequilapi/config/user` endpoint, an unauthenticated attacker can exploit an improper authorization flaw. This allows them to arbitrarily change the node's settings, potentially leading to complete control over the compromised node.

  • No authentication required.
  • POST request to config user endpoint.
  • Full node takeover risk.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could gain complete control of a Mysterium Node by sending a specially crafted request to the `/tequilapi/config/user` endpoint. This would allow them to modify the node's configuration settings arbitrarily, leading to a full takeover of the node.

  • Node configuration and control.
  • Via crafted POST request to API.
  • Full node takeover possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this vulnerability, the platform or infrastructure team responsible for managing the Mysterium Node deployments is likely accountable for initiating the remediation process. The first practical step involves identifying all instances of the affected technology, assessing their network exposure and business criticality, and then locating the specific owner for each instance to plan a coordinated response.

  • Identify affected node deployments.
  • Verify external reachability and criticality.
  • Coordinate remediation with node owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Mysterium Node?

Mysterium Node is software that allows a computer to act as a decentralized network relay. Users typically run this software to contribute their internet bandwidth to the Mysterium decentralized private network, essentially serving as a participant in a distributed peer-to-peer infrastructure.

What does CWE-862 mean for CVE-2026-31309?

CWE-862 represents improper authorization. In the context of CVE-2026-31309, this means the software fails to verify that a person is allowed to access the configuration settings. Because this check is missing, the system permits anyone to perform actions they should not be able to, such as changing core settings without proving their identity.

How is this vulnerability triggered?

An attacker triggers this bug by sending a specifically formatted POST request to the /tequilapi/config/user endpoint on a target node. The flaw relies on the absence of authorization checks; simply sending the malicious request to that specific API path is sufficient to gain control, meaning no prior interaction or valid login credentials are required.

Why should I worry about this if my node is internal?

According to Halo Surface Signal, this vulnerability is classified as likely to be relevant because Mysterium nodes are built to be reachable via the public internet to function as relays. If your node is accessible from the internet, it is directly exposed to this attack; internal-only nodes may have a reduced risk, but they are still vulnerable if the API is reachable within your network.

What should I do to protect my Mysterium Node?

Start by identifying every instance of Mysterium Node running in your environment. Once you have a complete list, assess the network reachability of each instance to determine which are exposed. Coordinate with the individuals or teams responsible for managing those specific nodes to plan for updates or configuration changes.

References