CVE-2026-39911
published 2026-04-09CVE-2026-39911: Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.55%
41.6th percentile
Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hashgraph | guardian | <= 3.5.1 | — |
| hedera | guardian | <= 3.5.0 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wf7f-q2xr-hrmh: Hashgraph Guardian through version 3
ghsa_unreviewed·2026-04-09
CVE-2026-39911 [HIGH] CWE-668 GHSA-wf7f-q2xr-hrmh: Hashgraph Guardian through version 3
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
VulDB
hashgraph guardian up to 3.5.0 Environment Variable exposure of resource
vuldb·2026-04-09·CVSS 8.7
CVE-2026-39911 [HIGH] hashgraph guardian up to 3.5.0 Environment Variable exposure of resource
A vulnerability marked as critical has been reported in hashgraph guardian up to 3.5.0. Impacted is an unknown function of the component Environment Variable Handler. This manipulation causes exposure of resource.
This vulnerability is tracked as CVE-2026-39911. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to apply a patch to fix this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published