Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Development and test API endpoints are present that mirror production functionality.
AnalysisAI
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated remote attackers to access sensitive information with low complexity. This information disclosure vulnerability (CVSS 6.9) affects all versions of Gardyn Cloud API and has been documented by CISA ICS in advisory ICSA-26-055-03; no public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The vulnerability stems from CWE-489 (Use of Private Data in an External Process), where development and testing API endpoints are not properly segregated or disabled in production environments. These mirrored endpoints expose the same backend functionality as production APIs without adequate access controls or environmental separation. Gardyn Cloud API (CPE: cpe:2.3:a:gardyn:cloud_api:*:*:*:*:*:*:*:*) has left these debug/test interfaces accessible to unauthenticated network callers, creating a direct path for information disclosure. The CVSS vector confirms unauthenticated network access (AV:N/PR:N) with low attack complexity (AC:L), and the confidentiality impact (VC:L) reflects the leakage of sensitive information through these unintended exposure points.
RemediationAI
Gardyn should remove or fully disable all development and test API endpoints from production environments, implement strict network segmentation to restrict debug endpoints to internal-only access, and deploy authentication/authorization controls that prevent unauthenticated access to sensitive endpoints. Organizations deploying Gardyn Cloud API should immediately review their instance configuration to identify and document any accessible test or development endpoints, restrict network access to these endpoints via firewall or load balancer rules, and contact Gardyn for a patched version. Refer to the vendor advisory at https://mygardyn.com/security/ and CISA advisory ICSA-26-055-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03) for vendor-specific remediation guidance. Patch availability status and exact fixed versions should be confirmed with Gardyn directly, as they are not specified in the available reference data.
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to acc
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive i
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers ac
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to net
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentica
Same weakness CWE-489 – Active Debug Code
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18847
GHSA-35v5-5w5j-5cx2