Is Bitcoin Core 31.0 Safe? Privacy Bug Explained, Fix Coming in 31.1

Bitcoin Core 31.0 Privacy Bug: Should You Worry?

Bitcoin Core developers have confirmed a privacy vulnerability in version 31.0, specifically inside the newly introduced privatebroadcast feature. The bug can expose a user's real IP address to a receiving peer under specific network conditions. No funds are at risk. No wallets can be drained. But for privacy-conscious node operators using this feature, the implications are real and the workarounds are needed right now.

What Is the Bitcoin Core 31.0 Privacy Bug?

To understand the flaw, you first need to know what privatebroadcast is designed to do.

When you broadcast a BTC  transaction to the network, your node connects to peers to relay it. The privatebroadcast feature, introduced for the first time in BitcoinCore 31.0, is meant to hide the sender's IP address during this process by routing the connection through Tor. The goal is to ensure that the recipient peer never learns your real location or identity.

The Bitcoin Core 31.0 privacy bug breaks that guarantee.

Here is what happens technically in simple terms: when your node tries to connect to a peer using the newer v2 (BIP324) encrypted transport, that handshake can fail. When it fails, itautomatically retries the connection using the older v1 protocol. The problem is that this v1 retry does not route through Tor. It goes direct. And that direct connection reveals your real IPv4 or IPv6 address to whoever is on the other side.

A malicious peer can deliberately cause this fallback by intentionally failing the v2 handshake, forcing your node to expose the IP address you were trying to keep private.

Who Is Actually Affected by the Bitcoin IP Address Leak?

The good news is that the affected group is narrow and specific. This Bitcoin privacy bug only applies to users where all of the following conditions are true at the same time:

• Running BitcoinCore 31.0 with privatebroadcast enabled

• Broadcasting transactions using the sendrawtransaction RPC command

• Tor is available for outbound connections

• Direct IPv4 or IPv6 outbound connections are not restricted

• BIP324 v2 transport is not disabled

If any one of those conditions is not met, the bug does not apply to you.

Importantly, standard wallet RPCs like sendtoaddress and sendall do not use the private broadcast feature at all and are completely unaffected. Connections made exclusively to onion or I2P peers are also not affected because those always stay routed through their respective proxies even on a v1 retry.

Most everyday Bitcoin holders, exchange users, and standard wallet users have zero exposure here. This is a node-operator level issue affecting a specific configuration.

How Serious Is the Bitcoin Core Security Update Issue?

Let us be direct about the risk level.

What this bug can do:

• Reveal a node operator's real IP address to a malicious peer during a transaction broadcast

• Reduce transaction privacy for affected users

• Allow geographic identification of the sender by a sophisticated attacker

What this bug cannot do:

• Steal or move BTC from any wallet

• Compromise private keys or seed phrases

• Manipulate the Bitcoin blockchain or transaction records

• Affect node operators who do not use privatebroadcast

The BitcoinCore update advisory published on June 6, 2026, credits Eugene Siegel for discovering and reporting the issue, which follows responsible disclosure best practices.

Workarounds Until Bitcoin Core 31.1 Fix Arrives

The official team has confirmed that the fix is coming in BitcoinCore 31.1. Until that release is live, there are three workarounds available to affected users right now:

Option 1 (disabling the feature entirely) is the simplest and cleanest fix for most users until 31.1 ships. Options 2 and 3 have their own security trade-offs that operators need to weigh carefully based on their setup.

What Is Bitcoin Core 31.0 and Should You Still Use It?

Bitcoin Core 31.0 was released on April 19, 2026, and brought several meaningful updates to the network's node software. The privatebroadcast feature was one of the headline additions, designed to improve transaction privacy for operators.

The bug does not make 31.0 broadly unsafe. The overwhelming majority of node operators running 31.0 without privatebroadcast enabled are completely unaffected. The issue is isolated to one specific feature used in one specific configuration.

That said, anyone who enabled privatebroadcast specifically for its privacy guarantees should apply a workaround immediately. The feature is not delivering the protection it promised in the 31.0 release notes until 31.1 patches the flaw.

The Bitcoin Core latest news today is clear: the developers acted quickly, disclosed the issue responsibly, and have a fix ready for the next release.

Bitcoin Core 31.1: When Is the Fix Coming?

The official advisory confirms that the fix will be released. No specific date for 31.1 has been publicly announced as of this writing. Given that this is a privacy vulnerability (not a critical fund-safety issue), the release timeline will follow the standard development schedule rather than an emergency patch.

Operators should monitor the official website at bitcoincore.org and the official X account @bitcoincoreorg for the 31.1 release announcement.

Final Thoughts

Bitcoin Core remains one of the most rigorously developed open-source projects in existence. This bug is a genuine privacy concern for a specific group of node operators, but it was identified, disclosed publicly, and is being fixed in the next release. That is how responsible software development is supposed to work.

If you run a node with privatebroadcast enabled, apply one of the three workarounds above today. If you are a regular holder, exchange user, or standard wallet user, nothing about your BTC is at risk.

Disclaimer: This article is for informational and educational purposes only. It does not constitute financial or investment advice. All technical details are sourced from the official  security advisory published at bitcoincore.org on June 6, 2026. Always verify technical instructions with the official documentation before making changes to your node configuration.