Skip to main content

Cloud Api CVE-2026-25197

| EUVDEUVD-2026-18831 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-03 icscert
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 18:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:46 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.12.2026
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18831
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
CVE Published
Apr 03, 2026 - 20:23 nvd
CRITICAL 9.3

DescriptionCVE.org

A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.

AnalysisAI

Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to access and modify arbitrary user profiles by manipulating ID parameters in API calls. CVSS:4.0 rates this 9.3 (Critical) with network-accessible attack vector requiring no privileges or user interaction, enabling unauthorized access to high-sensitivity user data and profile modification. CISA ICS-CERT issued advisory ICSA-26-055-03 for this IoT/smart garden system vulnerability. No public exploit identified at time of analysis, though the attack technique (parameter manipulation) is trivial to execute.

Technical ContextAI

This vulnerability affects the Gardyn Cloud API (cpe:2.3:a:gardyn:cloud_api), which provides backend services for Gardyn's smart indoor gardening systems. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a classic Insecure Direct Object Reference where the application fails to verify that the authenticated user has authorization to access the object specified by a user-supplied identifier. The API endpoint accepts an ID parameter directly from client requests without proper access control validation, allowing attackers to enumerate and access other users' profiles by iterating through ID values. This architectural flaw indicates missing server-side authorization checks that should validate the requesting user's permissions against the target resource. The CVSS:4.0 vector PR:N (No Privileges Required) reveals a critical gap: despite the description mentioning 'authenticated users,' the vector indicates NO authentication is actually required for exploitation, suggesting either publicly accessible endpoints or a complete authentication bypass capability.

RemediationAI

Implement server-side authorization controls immediately to validate that authenticated users can only access their own profile data before processing any API requests containing user ID parameters. The primary fix requires code-level changes to enforce proper access control lists (ACLs) that verify the requesting user's identity matches the target profile ID or has explicit administrative permissions. Apply the principle of least privilege by implementing role-based access control (RBAC) and validating all object references against the authenticated session context. Consult the official Gardyn security advisory at https://mygardyn.com/security/ and CISA advisory ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 for vendor-specific remediation guidance and patch availability. No vendor-released patch version confirmed from available data at time of analysis. As interim mitigation, implement API rate limiting, monitor for suspicious sequential ID access patterns, add logging for cross-user profile access attempts, and consider temporary API endpoint restrictions until architectural fixes deploy. Organizations using Gardyn systems should isolate devices on dedicated network segments and restrict cloud API access until patches apply.

Share

CVE-2026-25197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy