Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A specific administrative endpoint is accessible without proper authentication, exposing device management functions.
AnalysisAI
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where administrative endpoints in Gardyn's Cloud API lack proper authentication controls. The affected product (cpe:2.3:a:gardyn:cloud_api) appears to be the backend management interface for Gardyn's smart indoor gardening systems. Authentication bypass flaws at the API layer typically result from misconfigured route handlers, missing middleware validation, or direct object reference vulnerabilities that allow unauthenticated callers to invoke privileged operations. In IoT cloud platforms, administrative endpoints often control device provisioning, configuration updates, firmware management, and telemetry access-all of which become exposed when authentication checks are absent. The CVSS vector indicates network-based attack surface with low complexity, meaning exploitation requires only HTTP client capabilities and knowledge of endpoint paths, which may be discoverable through API documentation, brute-force enumeration, or reverse engineering of mobile applications.
RemediationAI
Vendor-released patch available per CISA advisory ICSA-26-055-03. Organizations operating Gardyn Cloud API infrastructure should immediately consult the vendor security advisory at https://mygardyn.com/security/ for specific patch versions and deployment instructions. The CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 and associated CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json contain structured remediation guidance including exact patched versions, though specific version numbers are not provided in the analyzed dataset. Immediate compensating controls include restricting network access to administrative endpoints through firewall rules, implementing IP allowlisting for known management clients, deploying API gateway authentication layers as an interim control, and monitoring access logs for unauthorized administrative endpoint requests. End users of Gardyn devices should verify their systems have received automatic cloud-side updates, as the vulnerability resides in backend infrastructure rather than device firmware. Review authentication logs for the exposure window to identify potential unauthorized access attempts.
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to acc
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive i
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers ac
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentica
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated r
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18845
GHSA-rj89-w4p6-78wv