Description
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.
Published: 2026-04-03
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: User account information disclosure
Action: Apply Patch
AI Analysis

Impact

The Gardyn Cloud API contains a critical endpoint that returns all authenticated user account information. The endpoint does not enforce authentication, allowing anyone to retrieve sensitive personal data about Gardyn users. This flaw enables disclosure of private information, including usernames, email addresses, and potentially other profile details, without any login or authorization.

Affected Systems

The vulnerability affects the Gardyn Cloud API, specifically the endpoint exposed to the Gardyn mobile application and underlying Home firmware. The fix is bundled in the latest version of the Gardyn mobile app; users must run a supported app version. Additionally, all Gardyn Home kit and studio devices should be upgraded to master.622 or later for complete remediation.

Risk and Exploitability

The CVSS score of 9.2 classifies this flaw as critical, reflecting high confidentiality impact. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation yet. Because the API bypasses authentication entirely, an attacker with network access to the Gardyn API can exploit it immediately. The lack of an authentication check, combined with the high CVSS, signals a high risk of data exposure for all affected users.

Generated by OpenCVE AI on April 3, 2026 at 23:27 UTC.

Remediation

Vendor Solution

Gardyn states that the relevant fixes are included in the latest version of the Gardyn mobile application. Users are required to run a supported version of the Gardyn App on their phone in order to access Gardyn services and devices. The current versions of the Gardyn App and the Gardyn Home firmware can be checked in the Gardyn App. For all vulnerabilities, Gardyn recommends users ensure their home kit and studio devices are upgraded to firmware master.622 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their devices have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.

OpenCVE Recommended Actions

  • Update the Gardyn mobile application to the latest version available.
  • Upgrade all Gardyn Home kit and studio devices to firmware master.622 or later.
  • Verify that devices maintain an active Internet connection for automatic firmware updates.
  • Monitor Gardyn security advisories for any additional updates or patches.

Generated by OpenCVE AI on April 3, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mygardyn
Mygardyn cloud Api
CPEs cpe:2.3:a:mygardyn:cloud_api:*:*:*:*:*:*:*:*
Vendors & Products Mygardyn
Mygardyn cloud Api

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Gardyn
Gardyn cloud Api
Vendors & Products Gardyn
Gardyn cloud Api

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.
Title Gardyn Cloud API Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Gardyn Cloud Api
Mygardyn Cloud Api
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-07T14:22:53.379Z

Reserved: 2026-03-17T20:12:55.120Z

Link: CVE-2026-28766

cve-icon Vulnrichment

Updated: 2026-04-07T14:22:47.260Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:10.387

Modified: 2026-04-22T18:21:24.000

Link: CVE-2026-28766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:22Z

Weaknesses