Compliance Impact

The vulnerability allows attackers to access sensitive credentials such as RSA private keys, JWT signing keys, and API tokens by executing arbitrary code within the system. This unauthorized access to sensitive data can lead to data breaches and compromise the confidentiality, integrity, and availability of protected information.

Such exposure and potential misuse of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over the protection of personal and sensitive information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-39911 is a vulnerability in Hashgraph Guardian up to version 3.5.0 where the Custom Logic policy block worker executes user-supplied JavaScript code without sandboxing. Authenticated users can pass arbitrary JavaScript expressions directly to the Node.js Function() constructor, which runs the code in the same context as the policy service. This lack of isolation allows attackers to access sensitive Node.js internals such as environment variables, native modules, and the filesystem.

Attackers can exploit this to read sensitive files, access credentials like RSA private keys and JWT signing keys, and forge authentication tokens for any user, including administrators. The vulnerability arises because the JavaScript code runs with full privileges, unlike the Python Custom Logic worker which uses a secure WebAssembly sandbox.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution within the Hashgraph Guardian environment. An attacker who exploits this flaw can read arbitrary files from the container filesystem and access sensitive environment variables containing credentials such as RSA private keys, JWT signing keys, and API tokens.

With these credentials, attackers can forge valid authentication tokens for any user, including administrators, effectively gaining full control over the system. This compromises confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if the Hashgraph Guardian platform version 3.5.0 or earlier is running and if the Custom Logic policy block worker executes user-supplied JavaScript code using the Node.js Function() constructor without sandboxing.

Since the vulnerability allows arbitrary JavaScript execution by authenticated Standard Registry users, monitoring for unusual or unauthorized JavaScript execution or attempts to access Node.js internals such as process.env or native modules like fs can indicate exploitation.

Specific commands to detect exploitation attempts are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves updating the Hashgraph Guardian platform to a version that includes the fix for CVE-2026-39911.

The fix replaces the insecure use of the Node.js Function() constructor with a sandboxed execution environment using Node.js's built-in vm module, which isolates user code and blocks access to Node.js internals such as process, require, import, and native modules.

• Apply the patch or upgrade to a version where the JavaScript Custom Logic worker runs user code inside a sandboxed V8 context created by vm.createContext() and vm.runInContext().
• Ensure that the sandbox disables code generation and limits execution time to prevent resource exhaustion.
• Restrict user permissions to prevent unauthorized access and monitor for suspicious activity related to Custom Logic policy blocks.

Useful 0 Not Useful 0