CVE-2026-39911: Hashgraph Guardian RCE
CVE-2026-39911
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute...
Overview
A high-severity remote code execution (RCE) vulnerability, CVE-2026-39911, exists in Hashgraph Guardian versions up to and including 3.5.0. The flaw resides in the platform’s Custom Logic policy block worker, which unsafely processes user-supplied JavaScript.
Vulnerability Details
Authenticated users with Standard Registry privileges can inject JavaScript code into the Custom Logic block. The system passes this input directly to the Node.js Function() constructor without any sandboxing or isolation. This allows an attacker to break out of the intended application context and execute arbitrary native Node.js code within the underlying container.
Impact and Risks
Successful exploitation grants an attacker full access to the container’s filesystem and environment. This enables the theft of highly sensitive credentials stored in environment variables, including RSA private keys, JWT signing keys, and API tokens. With these credentials, an attacker can forge valid authentication tokens for any user account, including administrators, leading to a complete compromise of the Guardian instance and its managed data. For more on the consequences of credential theft, recent incidents are documented in our breach reports.
Remediation and Mitigation
The primary remediation is to upgrade Hashgraph Guardian to a version beyond 3.5.0. The vendor has addressed this vulnerability in subsequent releases. If immediate patching is not possible, administrators should restrict access to the Standard Registry role to only strictly necessary, trusted users as a temporary mitigation. Review all system logs for any unusual activity or unexpected code execution attempts in the Custom Logic blocks.
Security Insight
This vulnerability highlights the persistent risk of embedding powerful scripting engines, like Node.js, within enterprise applications without implementing robust isolation boundaries. It mirrors past incidents in low-code platforms where “custom logic” features become a vector for full system compromise. The pattern underscores that features designed for extensibility must be built with a zero-trust assumption towards the code they execute, mandating secure-by-default sandboxing. For ongoing coverage of similar threats, follow our security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hoste...
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SS...
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to th...
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which do...