Skip to main content

Cloud Api CVE-2026-28766

| EUVDEUVD-2026-18839 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-03 icscert GHSA-m7jc-wgg6-fhj3
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 18:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:46 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.12.2026
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18839
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
CVE Published
Apr 03, 2026 - 20:20 nvd
CRITICAL 9.2

DescriptionCVE.org

A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.

AnalysisAI

Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive information for all registered users. The vulnerability stems from an unprotected endpoint exposing full account details without authentication checks (CVSS 9.2, AV:N/PR:N). CISA ICS-CERT has published an advisory, indicating exposure in operational technology/IoT contexts. No public exploit identified at time of analysis, though the vulnerability's simplicity (low attack complexity, no privileges required) makes exploitation straightforward once the endpoint is discovered.

Technical ContextAI

This vulnerability affects the Gardyn Cloud API (cpe:2.3:a:gardyn:cloud_api), which manages backend services for Gardyn's smart indoor gardening systems. The flaw is a missing authentication control (CWE-306: Missing Authentication for Critical Function) on a specific API endpoint that returns complete user account information. The CVSS 4.0 vector indicates network-accessible attack surface with no attack complexity barriers, no required privileges, and no user interaction needed. The vulnerability exposes high confidentiality impact to both the vulnerable system (VC:H) and subsequent systems (SC:H), with low integrity impact to both (VI:L/SI:L), suggesting the endpoint may permit not just read access but potentially limited data modification. The presence of an ICS-CERT advisory indicates this cloud API services IoT/smart home devices, expanding the attack surface beyond typical web applications to include embedded device ecosystems.

RemediationAI

Immediate action required: implement authentication controls on the exposed endpoint per vendor guidance available at https://mygardyn.com/security/. Organizations should monitor the CISA ICS-CERT advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 for patch release announcements and specific version remediation details. Upstream fix tracking is available via CISA's CSAF repository at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json. As an interim mitigation, if feasible, restrict network access to the Gardyn Cloud API to trusted IP ranges using firewall rules or API gateway controls, though this may not be practical for consumer IoT deployments. Organizations should immediately audit access logs for suspicious enumeration patterns targeting user account endpoints and force password resets for affected accounts once patching is complete. Given the complete exposure of user account data, assume all registered user information has been compromised and implement appropriate breach notification procedures per applicable data protection regulations.

Share

CVE-2026-28766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy