PatchSiren cyber security CVE debrief
CVE-2026-39911 hashgraph CVE debrief
CVE-2026-39911 is a high-severity vulnerability in Hashgraph Guardian, a product by Hedera, that allows authenticated Standard Registry users to execute arbitrary code. The vulnerability exists in the Custom Logic policy block worker, where user-supplied JavaScript expressions are passed directly to the Node.js Function() constructor without isolation. This enables attackers to import native Node.js modules, access sensitive data, and forge authentication tokens.
- Vendor
- hashgraph
- Product
- guardian
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-09
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-09
- Advisory updated
- 2026-07-14
Who should care
Organizations using Hashgraph Guardian version 3.5.1 or earlier should prioritize patching this vulnerability. Specifically, administrators and security teams responsible for Hedera's Guardian product should take immediate action to mitigate potential risks.
Technical summary
The vulnerability in Hashgraph Guardian's Custom Logic policy block worker allows authenticated Standard Registry users to execute arbitrary JavaScript code. This is possible because user-supplied JavaScript expressions are passed directly to the Node.js Function() constructor without proper isolation. Attackers can leverage this to read arbitrary files from the container filesystem, access sensitive process environment variables, and forge valid authentication tokens for any user, including administrators.
Defensive priority
High priority should be given to patching CVE-2026-39911, as it allows for arbitrary code execution by authenticated users. Organizations should verify their current version of Hashgraph Guardian and apply the necessary patches or updates.
Recommended defensive actions
- Verify the current version of Hashgraph Guardian and compare it with the fixed version.
- Apply the patch or update to the latest version of Hashgraph Guardian.
- Restrict access to the Custom Logic policy block worker to minimize the attack surface.
- Monitor for suspicious activity related to the Custom Logic policy block worker.
- Implement additional security measures, such as input validation and sandboxing, to prevent similar vulnerabilities.
Evidence notes
The CVE record was published on 2026-04-09T18:17:01.870Z and was last modified on 2026-07-14T21:16:46.813Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
Official resources
-
CVE-2026-39911 CVE record
CVE.org
-
CVE-2026-39911 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-09T18:17:01.870Z and has not been modified since then. The NVD entry is currently Modified.