PT-2026-41130 · Hedera · Hedera Guardian
Christ Bouchuen
·
Published
2026-05-14
·
Updated
2026-05-27
·
CVE-2026-45248
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Hedera Guardian versions prior to 3.5.2
Description
An authentication bypass exists in the 'GET /api/v1/demo/registered-users' endpoint. This allows unauthenticated attackers to retrieve sensitive user information, including usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.
Recommendations
Update to a version newer than 3.5.1.
As a temporary workaround, restrict access to the 'GET /api/v1/demo/registered-users' endpoint to minimize the risk of exploitation.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hedera Guardian