CVE Catalog

CVE-2026-45248

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile - higher than 28% of all known CVEs

Summary

Hedera Guardian through version 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint. Unauthenticated attackers can retrieve sensitive user information including usernames, Hedera DIDs, system roles, and policy assignments.

Risk Assessment

The risk involves unauthorized disclosure of all registered users' data, potentially leading to privacy breaches, identity theft, or further attacks on the system.

Recommendation

Immediately upgrade Hedera Guardian to a version newer than 3.5.1 or apply a temporary workaround by restricting access to the /api/v1/demo/registered-users endpoint to authenticated administrators only.

Original NVD description (English source)

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS