Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.
AnalysisAI
Hedera Guardian through version 3.5.1 allows unauthenticated attackers to retrieve sensitive user information via the GET /api/v1/demo/registered-users endpoint, which lacks proper authentication controls. Attackers can access this endpoint without credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability affects confidentiality with a CVSS score of 5.3 and has been fixed in the upstream repository via GitHub PR #6076.
Technical ContextAI
The vulnerability exists in the API Gateway's demo service endpoint (api-gateway/src/api/service/demo.ts), specifically in the registeredUsers() method, which queries the Guardian database to return a list of all registered users with their associated metadata. The underlying issue is a missing authentication decorator (@Auth) on the endpoint that should have enforced the DEMO_KEY_CREATE permission. CWE-306 identifies this as a 'Missing Authentication for Critical Function' - the endpoint performs a sensitive operation (user information disclosure) without verifying caller identity. The affected CPE indicates all versions of Hedera Guardian up to and including 3.5.1 are vulnerable. The fix, visible in PR #6076, adds the @Auth decorator to enforce permission checks and injects the authenticated user context into the handler, converting this from an open endpoint to a protected one.
RemediationAI
Upgrade Hedera Guardian to a patched version that includes the fix from PR #6076, which enforces the @Auth(Permissions.DEMO_KEY_CREATE) decorator on the registeredUsers endpoint. The patch adds authentication checks and injects authenticated user context, requiring valid credentials before the endpoint returns user data. Users unable to immediately upgrade should restrict network access to the /api/v1/demo/registered-users endpoint via API gateway firewall rules, load balancer policies, or reverse proxy ACLs to allow only trusted administrative clients. Additionally, review access logs for the endpoint to identify any unauthorized queries of user information and assess exposure scope. Implementing network segmentation to limit API Gateway exposure to internal networks only provides defense-in-depth but does not substitute for the patch. The GitHub PR at https://github.com/hashgraph/guardian/pull/6076 and VulnCheck advisory at https://www.vulncheck.com/advisories/hedera-guardian-authentication-bypass-information-disclosure contain patch details and confirmation.
Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_list.html CSV Injection. Rated high severity (CVSS 7
Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to
A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields us
Disk-exhaustion denial of service in Nozomi Networks Guardian and Central Management Console (CMC) lets a remote, unauth
Authenticated Standard Registry users can execute arbitrary Node.js code in Hashgraph Guardian ≤3.5.0 through unsandboxe
A SQL Injection vulnerability has been found in Nozomi Networks Guardian and CMC, due to improper input validation in ce
A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the alerts_
A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting
Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticat
Improper Input Validation vulnerability in custom report logo upload in Nozomi Networks Guardian, and CMC allows an auth
Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticat
OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30494
GHSA-5v4v-3g9q-mh5j