Description
A specific administrative endpoint notifications is accessible without proper authentication.
Published: 2026-04-03
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to critical administrative endpoint
Action: Patch and Upgrade
AI Analysis

Impact

The Gardyn Cloud API contains an administrative endpoint for notifications that can be reached without proper authentication. The flaw, which is a missing authentication check, is classified as CWE‑306. Because the endpoint is intended to perform privileged administrative actions, an attacker who reaches it may execute those actions without authorization, exposing administrative functionality that should be protected.

Affected Systems

The vulnerability affects the Gardyn Cloud API as used by the Gardyn mobile application and the Gardyn Home firmware. Gardyn’s own guidance states that the fix is included in the latest version of the Gardyn mobile application and that users should maintain Home firmware at master.622 or later to mitigate the issue.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium‑to‑high severity level. No EPSS score is reported and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote access to the Gardyn Cloud endpoint; any actor who can reach the API could exploit the lack of authentication to access the administrative function.

Generated by OpenCVE AI on April 3, 2026 at 22:50 UTC.

Remediation

Vendor Solution

Gardyn states that the relevant fixes are included in the latest version of the Gardyn mobile application. Users are required to run a supported version of the Gardyn App on their phone in order to access Gardyn services and devices. The current versions of the Gardyn App and the Gardyn Home firmware can be checked in the Gardyn App. For all vulnerabilities, Gardyn recommends users ensure their home kit and studio devices are upgraded to firmware master.622 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their devices have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.

OpenCVE Recommended Actions

  • Update the Gardyn mobile application to the latest version on your device.
  • Upgrade Gardyn Home firmware to master.622 or later.
  • Ensure that your devices have network connectivity so that automatic firmware updates can be downloaded.
  • Verify that you are using a supported version of the Gardyn App before accessing Gardyn services.

Generated by OpenCVE AI on April 3, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mygardyn
Mygardyn cloud Api
CPEs cpe:2.3:a:mygardyn:cloud_api:*:*:*:*:*:*:*:*
Vendors & Products Mygardyn
Mygardyn cloud Api

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Gardyn
Gardyn cloud Api
Vendors & Products Gardyn
Gardyn cloud Api

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description A specific administrative endpoint notifications is accessible without proper authentication.
Title Gardyn Cloud API Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gardyn Cloud Api
Mygardyn Cloud Api
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-07T14:23:23.456Z

Reserved: 2026-03-17T20:12:55.183Z

Link: CVE-2026-28767

cve-icon Vulnrichment

Updated: 2026-04-07T14:23:14.518Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:10.580

Modified: 2026-04-22T18:26:03.360

Link: CVE-2026-28767

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:16:31Z

Weaknesses