Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.
AnalysisAI
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to access and modify arbitrary user profiles by manipulating ID parameters in API calls. CVSS:4.0 rates this 9.3 (Critical) with network-accessible attack vector requiring no privileges or user interaction, enabling unauthorized access to high-sensitivity user data and profile modification. CISA ICS-CERT issued advisory ICSA-26-055-03 for this IoT/smart garden system vulnerability. No public exploit identified at time of analysis, though the attack technique (parameter manipulation) is trivial to execute.
Technical ContextAI
This vulnerability affects the Gardyn Cloud API (cpe:2.3:a:gardyn:cloud_api), which provides backend services for Gardyn's smart indoor gardening systems. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a classic Insecure Direct Object Reference where the application fails to verify that the authenticated user has authorization to access the object specified by a user-supplied identifier. The API endpoint accepts an ID parameter directly from client requests without proper access control validation, allowing attackers to enumerate and access other users' profiles by iterating through ID values. This architectural flaw indicates missing server-side authorization checks that should validate the requesting user's permissions against the target resource. The CVSS:4.0 vector PR:N (No Privileges Required) reveals a critical gap: despite the description mentioning 'authenticated users,' the vector indicates NO authentication is actually required for exploitation, suggesting either publicly accessible endpoints or a complete authentication bypass capability.
RemediationAI
Implement server-side authorization controls immediately to validate that authenticated users can only access their own profile data before processing any API requests containing user ID parameters. The primary fix requires code-level changes to enforce proper access control lists (ACLs) that verify the requesting user's identity matches the target profile ID or has explicit administrative permissions. Apply the principle of least privilege by implementing role-based access control (RBAC) and validating all object references against the authenticated session context. Consult the official Gardyn security advisory at https://mygardyn.com/security/ and CISA advisory ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 for vendor-specific remediation guidance and patch availability. No vendor-released patch version confirmed from available data at time of analysis. As interim mitigation, implement API rate limiting, monitor for suspicious sequential ID access patterns, add logging for cross-user profile access attempts, and consider temporary API endpoint restrictions until architectural fixes deploy. Organizations using Gardyn systems should isolate devices on dedicated network segments and restrict cloud API access until patches apply.
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive i
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers ac
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to net
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentica
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated r
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18831