High severity8.8NVD Advisory· Published Apr 9, 2026· Updated May 1, 2026

CVE-2026-39911

Description

Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

Affected products

Hedera/Guardian
cpe:2.3:a:hedera:guardian:*:*:*:*:*:*:*:*
Range: <=3.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rcenvdThird Party Advisory
github.com/hashgraph/guardian/pull/5929nvdIssue Tracking
github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebenvd

News mentions

How Dangerous Is Anthropic’s Mythos AI?
Schneier on Security · May 14, 2026
Deepfake sextortion forces schools to remove student photos from websites
Malwarebytes Labs · May 14, 2026
Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?
The Hacker News · May 6, 2026
Medical data of 500,000 UK volunteers listed for sale on Alibaba
Malwarebytes Labs · Apr 24, 2026
Risky Business #825 -- Palo Alto Networks blames it on the boogie
Risky Business · Feb 18, 2026
Risky Business #824 -- Microsoft's Secure Future is looking a bit wobbly
Risky Business · Feb 11, 2026

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000