Description
Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Hashgraph Guardian versions up to and including 3.5.0 permit an unsandboxed evaluation of JavaScript code supplied in the Custom Logic policy block worker. The vulnerability arises when the system feeds user‑created JavaScript expressions directly into Node.js’s Function() constructor without any isolation, allowing the attacker to execute arbitrary code on the hosting node.

Affected Systems

Only deployments of Hashgraph Guardian running version 3.5.0 or older are affected. The attack is limited to users who hold an authenticated Standard Registry account, as the vulnerability exists within the Custom Logic policy block used by such users.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity flaw. Although an EPSS score is not available and the issue is not listed in the CISA KEV catalog, the exploit requires only legitimate Standard Registry credentials and the ability to supply a JavaScript payload. Successful exploitation can read sensitive filesystem material, harvest process environment variables that may contain private keys or tokens, and forge authentication tokens for any user, including administrators, thereby providing full compromise of the node.

Generated by OpenCVE AI on April 9, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hashgraph Guardian to a version newer than 3.5.0 (for example, 3.5.1 or later) which removes the unsandboxed JavaScript execution flaw.
  • If an immediate patch is not available, restrict the use of the Custom Logic policy block to accounts that truly require it, and enforce the principle of least privilege for Standard Registry users.

Generated by OpenCVE AI on April 9, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators. Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Title Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE Hashgraph Guardian 3.5.1 Unsandboxed JavaScript Execution RCE
References

Wed, 22 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Hedera
Hedera guardian
CPEs cpe:2.3:a:hedera:guardian:*:*:*:*:*:*:*:*
Vendors & Products Hedera
Hedera guardian

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Hashgraph
Hashgraph guardian
Vendors & Products Hashgraph
Hashgraph guardian

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Title Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE
Weaknesses CWE-668
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hashgraph Guardian
Hedera Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-01T16:56:16.826Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39911

cve-icon Vulnrichment

Updated: 2026-04-09T18:16:09.730Z

cve-icon NVD

Status : Modified

Published: 2026-04-09T18:17:01.870

Modified: 2026-05-01T17:16:24.230

Link: CVE-2026-39911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:47Z

Weaknesses