CVE-2026-39911 is a vulnerability in Hashgraph Guardian up to version 3.5.0 where the Custom Logic policy block worker unsafely executes user-supplied JavaScript code via the Node.js Function() constructor without sandboxing. Authenticated users with Standard Registry privileges can exploit this to execute arbitrary code within the container environment. Exploitation enables reading arbitrary files, accessing sensitive environment variables containing credentials such as RSA private keys, JWT signing keys, and API tokens, and forging authentication tokens for any user including administrators. This represents an exposure of resources to an unauthorized sphere (CWE-668). The vulnerability is remotely exploitable without user interaction and requires only low privileges (authenticated Standard Registry user). No official patch or remediation level has been published as of the data provided.

Successful exploitation allows an authenticated Standard Registry user to execute arbitrary code within the container hosting Hashgraph Guardian. This leads to disclosure of sensitive files and environment variables, including cryptographic keys and tokens, and enables forging of authentication tokens for any user, including administrators. This can result in full system compromise and unauthorized access to protected resources. The CVSS 4.0 score of 8.7 reflects high impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Standard Registry user access to trusted personnel only and consider disabling or limiting use of the Custom Logic policy block worker feature if feasible. Monitor for updates from the vendor regarding patches or official mitigations.