Skip to main content

Hedera Guardian CVE-2026-45248

| EUVDEUVD-2026-30494 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-14 VulnCheck GHSA-5v4v-3g9q-mh5j
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 14, 2026 - 22:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 22:15 vuln.today
Analysis Generated
May 14, 2026 - 22:15 vuln.today
CVE Published
May 14, 2026 - 21:36 nvd
MEDIUM 5.3

DescriptionCVE.org

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.

AnalysisAI

Hedera Guardian through version 3.5.1 allows unauthenticated attackers to retrieve sensitive user information via the GET /api/v1/demo/registered-users endpoint, which lacks proper authentication controls. Attackers can access this endpoint without credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability affects confidentiality with a CVSS score of 5.3 and has been fixed in the upstream repository via GitHub PR #6076.

Technical ContextAI

The vulnerability exists in the API Gateway's demo service endpoint (api-gateway/src/api/service/demo.ts), specifically in the registeredUsers() method, which queries the Guardian database to return a list of all registered users with their associated metadata. The underlying issue is a missing authentication decorator (@Auth) on the endpoint that should have enforced the DEMO_KEY_CREATE permission. CWE-306 identifies this as a 'Missing Authentication for Critical Function' - the endpoint performs a sensitive operation (user information disclosure) without verifying caller identity. The affected CPE indicates all versions of Hedera Guardian up to and including 3.5.1 are vulnerable. The fix, visible in PR #6076, adds the @Auth decorator to enforce permission checks and injects the authenticated user context into the handler, converting this from an open endpoint to a protected one.

RemediationAI

Upgrade Hedera Guardian to a patched version that includes the fix from PR #6076, which enforces the @Auth(Permissions.DEMO_KEY_CREATE) decorator on the registeredUsers endpoint. The patch adds authentication checks and injects authenticated user context, requiring valid credentials before the endpoint returns user data. Users unable to immediately upgrade should restrict network access to the /api/v1/demo/registered-users endpoint via API gateway firewall rules, load balancer policies, or reverse proxy ACLs to allow only trusted administrative clients. Additionally, review access logs for the endpoint to identify any unauthorized queries of user information and assess exposure scope. Implementing network segmentation to limit API Gateway exposure to internal networks only provides defense-in-depth but does not substitute for the patch. The GitHub PR at https://github.com/hashgraph/guardian/pull/6076 and VulnCheck advisory at https://www.vulncheck.com/advisories/hedera-guardian-authentication-bypass-information-disclosure contain patch details and confirmation.

CVE-2020-7049 HIGH POC
7.3 Jun 30

Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_list.html CSV Injection. Rated high severity (CVSS 7

CVE-2020-15307 MEDIUM POC
6.1 Jun 30

Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to

CVE-2023-29245 CRITICAL
9.2 Sep 19

A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields us

CVE-2026-31984 HIGH
8.7 Jul 09

Disk-exhaustion denial of service in Nozomi Networks Guardian and Central Management Console (CMC) lets a remote, unauth

CVE-2026-39911 HIGH
8.7 Apr 09

Authenticated Standard Registry users can execute arbitrary Node.js code in Hashgraph Guardian ≤3.5.0 through unsandboxe

CVE-2023-2567 HIGH
8.7 Sep 19

A SQL Injection vulnerability has been found in Nozomi Networks Guardian and CMC, due to improper input validation in ce

CVE-2023-23574 HIGH
8.7 Aug 09

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the alerts_

CVE-2023-22378 HIGH
8.7 Aug 09

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting

CVE-2022-0551 HIGH
8.6 Mar 24

Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticat

CVE-2022-0550 HIGH
8.6 Mar 24

Improper Input Validation vulnerability in custom report logo upload in Nozomi Networks Guardian, and CMC allows an auth

CVE-2021-26725 HIGH
8.6 Feb 22

Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticat

CVE-2021-26724 HIGH
8.6 Feb 22

OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and

Share

CVE-2026-45248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy