CVE-2026-45248 PUBLISHED

Hedera Guardian Authentication Bypass Information Disclosure

Assigner: VulnCheck
Reserved: 11.05.2026 Published: 14.05.2026 Updated: 14.05.2026

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor hashgraph
Product guardian
Versions Default: affected
  • affected from 0 to 3.5.1 (incl.)

Credits

  • Christ Bouchuen finder

References

Problem Types

  • Missing Authentication for Critical Function CWE