Description
Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hashgraph Guardian versions up to and including 3.5.1 permit an unsandboxed evaluation of JavaScript code supplied in the Custom Logic policy block worker. The vulnerability arises when the system feeds user‑created JavaScript expressions directly into Node.js’s Function() constructor without any isolation, allowing the attacker to execute arbitrary code on the hosting node.

Affected Systems

Only deployments of Hashgraph Guardian running version 3.5.1 or older are affected. The attack is limited to users who hold an authenticated Standard Registry account, as the vulnerability exists within the Custom Logic policy block used by such users.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity flaw. The EPSS score of 0.00119 indicates a very low but non‑zero exploitation probability currently, and the issue is not listed in the CISA KEV catalog. The exploit requires only legitimate Standard Registry credentials and the ability to supply a JavaScript payload. Successful exploitation can read sensitive filesystem material, harvest process environment variables that may contain private keys or tokens, and forge authentication tokens for any user, including administrators, thereby providing full compromise of the node.

Generated by OpenCVE AI on May 2, 2026 at 08:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hashgraph Guardian to a version that includes commit 45fbe2f, which removes the unsandboxed JavaScript execution flaw.
  • Disable or restrict the Custom Logic policy block in the configuration until the patch is applied, limiting the attack surface for Standard Registry users.
  • Enforce least privilege for Standard Registry accounts, ensuring users have only the permissions required for their legitimate tasks.

Generated by OpenCVE AI on May 2, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators. Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Title Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE Hashgraph Guardian 3.5.1 Unsandboxed JavaScript Execution RCE
References

Wed, 22 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Hedera
Hedera guardian
CPEs cpe:2.3:a:hedera:guardian:*:*:*:*:*:*:*:*
Vendors & Products Hedera
Hedera guardian

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Hashgraph
Hashgraph guardian
Vendors & Products Hashgraph
Hashgraph guardian

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Title Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE
Weaknesses CWE-668
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hashgraph Guardian
Hedera Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-01T16:56:16.826Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39911

cve-icon Vulnrichment

Updated: 2026-04-09T18:16:09.730Z

cve-icon NVD

Status : Modified

Published: 2026-04-09T18:17:01.870

Modified: 2026-05-01T17:16:24.230

Link: CVE-2026-39911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses