Authentication Bypass Vulnerability in Hedera Guardian by Hashgraph
CVE-2026-45248

6.9MEDIUM

Key Information:

Vendor: Hashgraph
Status: Guardian
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-45248?

Hedera Guardian versions up to 3.5.1 are susceptible to an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint. This flaw allows unauthorized attackers to access sensitive user information without the need for authentication credentials. Exploiting this vulnerability, attackers can easily retrieve usernames, Hedera Decentralized Identifiers (DIDs), parent registry DIDs, system roles, and policy role assignments for all registered users in the system, posing significant risk to user privacy and data security.

Affected Version(s)

guardian 0 <= 3.5.1

References

https://github.com/hashgraph/guardian/pull/6076

issue-tracking

https://www.vulncheck.com/advisories/hedera-guardian-auth...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 11, 2026

Credit

Christ Bouchuen

CVE-2026-45248 Data

JSON