EUVD-2026-20993
GHSA-wf7f-q2xr-hrmh
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
Analysis
Remote code execution in Hashgraph Guardian ≤3.5.0 enables authenticated Standard Registry users to execute arbitrary JavaScript through unsandboxed Function() constructor in Custom Logic policy block worker. Attackers can import Node.js modules to read container files, extract environment credentials (RSA private keys, JWT signing keys, API tokens), and forge authentication tokens for privilege escalation to administrator access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Hashgraph Guardian deployments running version 3.5.0 or earlier and disable or restrict Standard Registry user access to Custom Logic policy block creation. Within 7 days: Audit all existing Custom Logic policies for suspicious JavaScript code and rotate all environment credentials (RSA private keys, JWT signing keys, API tokens) stored in affected containers. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today