CVE-2026-39911: Hashgraph Guardian RCE
CVE-2026-39911
CVE-2026-39911 lets attackers execute arbitrary Node.js code, steal RSA private keys and JWT signing tokens, and forge admin credentials in Hashgraph Guardian ≤3.5.0. Upgrade beyond 3.5.0 immediately.
Vendor-confirmed - CVE-2026-39911 is a high remote code execution in Hashgraph Guardian up to and including 3.5.0 that grants authenticated Standard Registry users full container-level access via unsandboxed JavaScript injection in the Custom Logic block, enabling theft of sensitive credentials and complete instance compromise. Upgrade to a version beyond 3.5.0 as the primary remediation.
Overview
A high-severity remote code execution (RCE) vulnerability, CVE-2026-39911, exists in Hashgraph Guardian versions up to and including 3.5.0. The flaw resides in the platform’s Custom Logic policy block worker, which unsafely processes user-supplied JavaScript.
Vulnerability Details
Authenticated users with Standard Registry privileges can inject JavaScript code into the Custom Logic block. The system passes this input directly to the Node.js Function() constructor without any sandboxing or isolation. This allows an attacker to break out of the intended application context and execute arbitrary native Node.js code within the underlying container.
Impact and Risks
Successful exploitation grants an attacker full access to the container’s filesystem and environment. This enables the theft of highly sensitive credentials stored in environment variables, including RSA private keys, JWT signing keys, and API tokens. With these credentials, an attacker can forge valid authentication tokens for any user account, including administrators, leading to a complete compromise of the Guardian instance and its managed data. For more on the consequences of credential theft, recent incidents are documented in our breach reports.
Remediation and Mitigation
The primary remediation is to upgrade Hashgraph Guardian to a version beyond 3.5.0. The vendor has addressed this vulnerability in subsequent releases. If immediate patching is not possible, administrators should restrict access to the Standard Registry role to only strictly necessary, trusted users as a temporary mitigation. Review all system logs for any unusual activity or unexpected code execution attempts in the Custom Logic blocks.
Security Insight
This vulnerability highlights the persistent risk of embedding powerful scripting engines, like Node.js, within enterprise applications without implementing robust isolation boundaries. It mirrors past incidents in low-code platforms where “custom logic” features become a vector for full system compromise. The pattern underscores that features designed for extensibility must be built with a zero-trust assumption towards the code they execute, mandating secure-by-default sandboxing. For ongoing coverage of similar threats, follow our security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hoste...
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SS...
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running Clou...
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: H...