CVE-2026-45248

Vulnerability

The GET /api/v1/demo/registered-users endpoint in Hedera Guardian through version 3.5.1 lacks authentication checks, allowing unauthenticated access. This endpoint returns sensitive user information including usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function) [1][2].

Exploitation

An attacker can simply send a GET request to /api/v1/demo/registered-users without any authentication token. No prior access or user interaction is required. The endpoint is publicly accessible, and the attacker can retrieve the full list of registered users and their associated sensitive data [1][2].

Impact

Successful exploitation allows an unauthenticated attacker to obtain a comprehensive list of all registered users along with their Hedera DIDs, parent registry DIDs, system roles, and policy role assignments. This information disclosure can be used for further targeted attacks or reconnaissance against the Hedera Guardian system [2].

Mitigation

The fix was implemented in pull request #6076, which adds the @Auth(Permissions.DEMO_KEY_CREATE) guard to the registeredUsers() function, requiring authentication. The fix is available in versions after 3.5.1. Users should update to the latest patched version. No workaround is documented; the endpoint should be restricted until patched [1].