CVE-2026-39911

HIGH

Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE

Title source: cna

Description

Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

References (3)

[Issue Tracking, Mitigation] https://github.com/hashgraph/guardian/pull/5929

[Patch] https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce

Scores

CVSS v3 8.8

EPSS 0.0012

EPSS Percentile 30.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-668

Status published

Products (4)

hashgraph/guardian < 3.5.0

hashgraph/guardian < 3.5.1

hashgraph/guardian 45fbe2f7e0e8feee30105d42d66ed63fb6177ebe

hedera/guardian < 3.5.0

Published Apr 09, 2026

Tracked Since Apr 10, 2026