Description
Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hedera Guardian contains an authentication bypass in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. This flaw, identified as CWE‑306, permits full disclosure of user data without any authentication, constituting a medium‑severity information‑disclosure vulnerability.

Affected Systems

Hashgraph’s Hedera Guardian product is affected, specifically version 3.5.1 and earlier releases that have not applied the fix for the authentication bypass. Administrators should verify that their deployed Guardian instance matches or exceeds the patched release.

Risk and Exploitability

The CVSS score is 6.9, indicating medium severity. Because no authentication is required, attackers can exploit the flaw from any network where the Guardian service is reachable, such as a public web server. The EPSS score is currently unavailable and the vulnerability is not listed in CISA’s KEV catalog, but the lack of mitigations and the publicly documented behavior suggest that an attacker with network access could retrieve all user data readily.

Generated by OpenCVE AI on May 14, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Hashgraph patch that addresses the authentication bypass for the /api/v1/demo/registered-users endpoint.
  • If a patch is not immediately available, configure the Guardian service to require authentication for that endpoint or disable the demo endpoint in production deployments.
  • Monitor and log all requests to /api/v1/demo/registered-users, alerting on unauthenticated accesses.
  • Limit exposure of the Guardian service by placing it behind secure network perimeters or VPN tunnels, ensuring that only trusted network segments can reach the endpoint.

Generated by OpenCVE AI on May 14, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Hashgraph
Hashgraph guardian
Vendors & Products Hashgraph
Hashgraph guardian

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.
Title Hedera Guardian Authentication Bypass Information Disclosure
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hashgraph Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T21:36:22.995Z

Reserved: 2026-05-11T14:14:49.613Z

Link: CVE-2026-45248

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T22:16:45.000

Modified: 2026-05-15T14:56:18.253

Link: CVE-2026-45248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses