PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39911 hashgraph CVE debrief

CVE-2026-39911 is a high-severity vulnerability in Hashgraph Guardian, a product by Hedera, that allows authenticated Standard Registry users to execute arbitrary code. The vulnerability exists in the Custom Logic policy block worker, where user-supplied JavaScript expressions are passed directly to the Node.js Function() constructor without isolation. This enables attackers to import native Node.js modules, access sensitive data, and forge authentication tokens.

Vendor
hashgraph
Product
guardian
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-07-14
Advisory published
2026-04-09
Advisory updated
2026-07-14

Who should care

Organizations using Hashgraph Guardian version 3.5.1 or earlier should prioritize patching this vulnerability. Specifically, administrators and security teams responsible for Hedera's Guardian product should take immediate action to mitigate potential risks.

Technical summary

The vulnerability in Hashgraph Guardian's Custom Logic policy block worker allows authenticated Standard Registry users to execute arbitrary JavaScript code. This is possible because user-supplied JavaScript expressions are passed directly to the Node.js Function() constructor without proper isolation. Attackers can leverage this to read arbitrary files from the container filesystem, access sensitive process environment variables, and forge valid authentication tokens for any user, including administrators.

Defensive priority

High priority should be given to patching CVE-2026-39911, as it allows for arbitrary code execution by authenticated users. Organizations should verify their current version of Hashgraph Guardian and apply the necessary patches or updates.

Recommended defensive actions

  • Verify the current version of Hashgraph Guardian and compare it with the fixed version.
  • Apply the patch or update to the latest version of Hashgraph Guardian.
  • Restrict access to the Custom Logic policy block worker to minimize the attack surface.
  • Monitor for suspicious activity related to the Custom Logic policy block worker.
  • Implement additional security measures, such as input validation and sandboxing, to prevent similar vulnerabilities.

Evidence notes

The CVE record was published on 2026-04-09T18:17:01.870Z and was last modified on 2026-07-14T21:16:46.813Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-09T18:17:01.870Z and has not been modified since then. The NVD entry is currently Modified.