Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.
AnalysisAI
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive information for all registered users. The vulnerability stems from an unprotected endpoint exposing full account details without authentication checks (CVSS 9.2, AV:N/PR:N). CISA ICS-CERT has published an advisory, indicating exposure in operational technology/IoT contexts. No public exploit identified at time of analysis, though the vulnerability's simplicity (low attack complexity, no privileges required) makes exploitation straightforward once the endpoint is discovered.
Technical ContextAI
This vulnerability affects the Gardyn Cloud API (cpe:2.3:a:gardyn:cloud_api), which manages backend services for Gardyn's smart indoor gardening systems. The flaw is a missing authentication control (CWE-306: Missing Authentication for Critical Function) on a specific API endpoint that returns complete user account information. The CVSS 4.0 vector indicates network-accessible attack surface with no attack complexity barriers, no required privileges, and no user interaction needed. The vulnerability exposes high confidentiality impact to both the vulnerable system (VC:H) and subsequent systems (SC:H), with low integrity impact to both (VI:L/SI:L), suggesting the endpoint may permit not just read access but potentially limited data modification. The presence of an ICS-CERT advisory indicates this cloud API services IoT/smart home devices, expanding the attack surface beyond typical web applications to include embedded device ecosystems.
RemediationAI
Immediate action required: implement authentication controls on the exposed endpoint per vendor guidance available at https://mygardyn.com/security/. Organizations should monitor the CISA ICS-CERT advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 for patch release announcements and specific version remediation details. Upstream fix tracking is available via CISA's CSAF repository at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json. As an interim mitigation, if feasible, restrict network access to the Gardyn Cloud API to trusted IP ranges using firewall rules or API gateway controls, though this may not be practical for consumer IoT deployments. Organizations should immediately audit access logs for suspicious enumeration patterns targeting user account endpoints and force password resets for affected accounts once patching is complete. Given the complete exposure of user account data, assume all registered user information has been compromised and implement appropriate breach notification procedures per applicable data protection regulations.
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to acc
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers ac
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to net
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentica
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated r
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18839
GHSA-m7jc-wgg6-fhj3