CVE-2026-39911

Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe
https://github.com/hashgraph/guardian/pull/5929	Issue Tracking
https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hedera:guardian:*:*:*:*:*:*:*:*

History

01 May 2026, 17:16

Type	Values Removed	Values Added
References		() https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe -
Summary	(en) Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.	(en) Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

22 Apr 2026, 00:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:hedera:guardian::::::::
References	~~() https://github.com/hashgraph/guardian/pull/5929 -~~	() https://github.com/hashgraph/guardian/pull/5929 - Issue Tracking
References	~~() https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce -~~	() https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce - Third Party Advisory
First Time		Hedera guardian Hedera

09 Apr 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 18:17

Updated : 2026-05-01 17:16

NVD link : CVE-2026-39911

Mitre link : CVE-2026-39911

CVE.ORG link : CVE-2026-39911

JSON object : View

Products Affected

hedera

guardian

CWE

CWE-668

Exposure of Resource to Wrong Sphere

8.8 /10