Skip to main content

Cloud Api EUVDEUVD-2026-18845

| CVE-2026-32646 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-03 icscert GHSA-rj89-w4p6-78wv
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 18:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.12.2026
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18845
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
CVE Published
Apr 03, 2026 - 20:15 nvd
HIGH 8.7

DescriptionCVE.org

A specific administrative endpoint is accessible without proper authentication, exposing device management functions.

AnalysisAI

Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where administrative endpoints in Gardyn's Cloud API lack proper authentication controls. The affected product (cpe:2.3:a:gardyn:cloud_api) appears to be the backend management interface for Gardyn's smart indoor gardening systems. Authentication bypass flaws at the API layer typically result from misconfigured route handlers, missing middleware validation, or direct object reference vulnerabilities that allow unauthenticated callers to invoke privileged operations. In IoT cloud platforms, administrative endpoints often control device provisioning, configuration updates, firmware management, and telemetry access-all of which become exposed when authentication checks are absent. The CVSS vector indicates network-based attack surface with low complexity, meaning exploitation requires only HTTP client capabilities and knowledge of endpoint paths, which may be discoverable through API documentation, brute-force enumeration, or reverse engineering of mobile applications.

RemediationAI

Vendor-released patch available per CISA advisory ICSA-26-055-03. Organizations operating Gardyn Cloud API infrastructure should immediately consult the vendor security advisory at https://mygardyn.com/security/ for specific patch versions and deployment instructions. The CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 and associated CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json contain structured remediation guidance including exact patched versions, though specific version numbers are not provided in the analyzed dataset. Immediate compensating controls include restricting network access to administrative endpoints through firewall rules, implementing IP allowlisting for known management clients, deploying API gateway authentication layers as an interim control, and monitoring access logs for unauthorized administrative endpoint requests. End users of Gardyn devices should verify their systems have received automatic cloud-side updates, as the vulnerability resides in backend infrastructure rather than device firmware. Review authentication logs for the exposure window to identify potential unauthorized access attempts.

Share

EUVD-2026-18845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy