Skip to main content

Cloud Api CVE-2026-32662

| EUVDEUVD-2026-18847 MEDIUM
Active Debug Code (CWE-489)
2026-04-03 icscert GHSA-35v5-5w5j-5cx2
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.12.2026
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18847
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
CVE Published
Apr 03, 2026 - 20:11 nvd
MEDIUM 6.9

DescriptionCVE.org

Development and test API endpoints are present that mirror production functionality.

AnalysisAI

Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated remote attackers to access sensitive information with low complexity. This information disclosure vulnerability (CVSS 6.9) affects all versions of Gardyn Cloud API and has been documented by CISA ICS in advisory ICSA-26-055-03; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability stems from CWE-489 (Use of Private Data in an External Process), where development and testing API endpoints are not properly segregated or disabled in production environments. These mirrored endpoints expose the same backend functionality as production APIs without adequate access controls or environmental separation. Gardyn Cloud API (CPE: cpe:2.3:a:gardyn:cloud_api:*:*:*:*:*:*:*:*) has left these debug/test interfaces accessible to unauthenticated network callers, creating a direct path for information disclosure. The CVSS vector confirms unauthenticated network access (AV:N/PR:N) with low attack complexity (AC:L), and the confidentiality impact (VC:L) reflects the leakage of sensitive information through these unintended exposure points.

RemediationAI

Gardyn should remove or fully disable all development and test API endpoints from production environments, implement strict network segmentation to restrict debug endpoints to internal-only access, and deploy authentication/authorization controls that prevent unauthenticated access to sensitive endpoints. Organizations deploying Gardyn Cloud API should immediately review their instance configuration to identify and document any accessible test or development endpoints, restrict network access to these endpoints via firewall or load balancer rules, and contact Gardyn for a patched version. Refer to the vendor advisory at https://mygardyn.com/security/ and CISA advisory ICSA-26-055-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03) for vendor-specific remediation guidance. Patch availability status and exact fixed versions should be confirmed with Gardyn directly, as they are not specified in the available reference data.

Share

CVE-2026-32662 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy