Skip to main content

Hashgraph Guardian EUVDEUVD-2026-20993

| CVE-2026-39911 HIGH
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-09 VulnCheck GHSA-wf7f-q2xr-hrmh
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 22, 2026 - 00:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 00:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 18:15 euvd
EUVD-2026-20993
Analysis Generated
Apr 09, 2026 - 18:15 vuln.today
CVE Published
Apr 09, 2026 - 17:57 nvd
HIGH 8.7

DescriptionCVE.org

Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

AnalysisAI

Authenticated Standard Registry users can execute arbitrary Node.js code in Hashgraph Guardian ≤3.5.0 through unsandboxed JavaScript evaluation in the Custom Logic policy block worker, enabling credential theft and privilege escalation. The vulnerability allows importing native Node.js modules to read container filesystem contents, extract RSA private keys and JWT signing secrets from environment variables, and forge administrator authentication tokens. Despite low EPSS (0.12%) indicating minimal widespread exploitation probability, the authenticated RCE path to total system compromise warrants immediate patching for deployments using Custom Logic policy features.

Technical ContextAI

Hashgraph Guardian's Custom Logic policy block worker accepts user-supplied JavaScript expressions and executes them via the Node.js Function() constructor without sandboxing or isolation mechanisms. This CWE-668 (Exposure of Resource to Wrong Sphere) vulnerability stems from directly passing untrusted code to a JavaScript evaluation primitive that inherits full Node.js runtime capabilities. Unlike browser-based JavaScript execution which operates in a restricted environment, Node.js Function() provides access to require() for importing native modules (fs, process, crypto), filesystem I/O, and process memory. The affected component appears to be designed for dynamic policy logic evaluation but lacks the VM sandboxing (vm2, isolated-vm) or capability restriction mechanisms necessary when executing user-controlled code in server-side JavaScript runtimes.

RemediationAI

Upgrade Hashgraph Guardian to version 3.5.1 or later once the fix from GitHub PR #5929 (https://github.com/hashgraph/guardian/pull/5929) is released in a tagged version. Until patched versions are available, implement these compensating controls with noted trade-offs: (1) Disable or remove the Custom Logic policy block feature entirely if not business-critical - eliminates attack surface but may break existing policy workflows requiring dynamic JavaScript evaluation; (2) Restrict Standard Registry user role assignments to only absolutely trusted administrators and implement mandatory code review for all Custom Logic policy blocks before deployment - reduces attacker pool but introduces operational overhead and doesn't prevent malicious insiders; (3) Deploy Guardian containers with read-only root filesystems and externalize all secrets to secure secret management systems rather than environment variables - limits filesystem read impact and credential exposure but requires infrastructure reconfiguration and may affect other Guardian components expecting writable paths. Monitor container process execution for unexpected child processes or require() calls to filesystem/process modules as detection layer. Consult VulnCheck advisory at https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce for additional vendor guidance.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-20993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy