CVE-2026-39911 is a high-severity vulnerability in Hashgraph Guardian up to version 3.5.1 involving unsandboxed JavaScript execution in the Custom Logic policy block worker. Authenticated Standard Registry users can supply JavaScript expressions that are executed via the Node.js Function() constructor without isolation, enabling arbitrary code execution. This allows attackers to import native Node.js modules to read files from the container filesystem, access sensitive environment variables containing credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user, including administrators. The vulnerability was fixed in commit 45fbe2f, but no official patch or advisory details are currently available. The CVSS 4.0 base score is 8.7, reflecting network attack vector, low attack complexity, no user interaction, and high impacts on confidentiality, integrity, and availability.

Successful exploitation allows an authenticated user with Standard Registry privileges to execute arbitrary code within the application environment. This can lead to unauthorized access to sensitive files and environment variables, including private cryptographic keys and API tokens. Attackers can also forge authentication tokens for any user, including administrators, potentially resulting in full system compromise. The vulnerability severely impacts confidentiality, integrity, and availability of the affected system.

No official patch or remediation guidance is currently available from the vendor. The vulnerability was fixed in commit 45fbe2f, so upgrading to a version including this fix is recommended once released. Until then, restrict Standard Registry user privileges and avoid running untrusted JavaScript code in the Custom Logic policy block worker. Monitor vendor advisories for updates and apply official patches promptly when available. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.