CVE-2026-39911

Name of the Vulnerable Software and Affected Versions Hashgraph Guardian versions through 3.5.0

Description Hashgraph Guardian through version 3.5.0 has an unsandboxed JavaScript execution issue in the Custom Logic policy block worker. Authenticated Standard Registry users can execute arbitrary code by supplying JavaScript expressions directly to the Node.js Function() constructor without isolation. This allows attackers to import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user, including administrators.

Recommendations Update to a version later than 3.5.0.