Description
A specific administrative endpoint is accessible without proper authentication, exposing device management functions.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized device management due to missing authentication on a critical Cloud API endpoint
Action: Patch Now
AI Analysis

Impact

A specific administrative endpoint within the Gardyn Cloud API can be accessed without authentication, allowing an attacker to invoke device management functions. This omission of proper authorization aligns with the missing authorization weakness identified by CWE‑306. An attacker who can reach the endpoint could potentially reconfigure, reset, or otherwise alter connected Gardyn devices, compromising device integrity and potentially leading to broader system compromise.

Affected Systems

The vulnerability impacts Gardyn’s Cloud API, as well as the Gardyn mobile application and the Gardyn Home firmware that these components rely upon. Users are advised to run the latest version of the Gardyn mobile app and to update their Home firmware to version master.622 or newer to mitigate this risk.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as high severity. Because the endpoint is accessible without authentication, the likelihood of exploitation is high for anyone who can communicate with the Gardyn Cloud API, whether through local network or internet-facing interfaces. The EPSS score is not available, and the flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the inherent lack of authorization makes exploitation relatively straightforward once network access is established.

Generated by OpenCVE AI on April 3, 2026 at 22:21 UTC.

Remediation

Vendor Solution

Gardyn states that the relevant fixes are included in the latest version of the Gardyn mobile application. Users are required to run a supported version of the Gardyn App on their phone in order to access Gardyn services and devices. The current versions of the Gardyn App and the Gardyn Home firmware can be checked in the Gardyn App. For all vulnerabilities, Gardyn recommends users ensure their home kit and studio devices are upgraded to firmware master.622 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their devices have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.

OpenCVE Recommended Actions

  • Update the Gardyn mobile application to the latest version available on the app store
  • Upgrade Gardyn Home firmware to master.622 or later through the device’s software update mechanism
  • Ensure that all Gardyn devices maintain network connectivity so they can automatically download firmware updates
  • Verify that the Cloud API endpoints are protected by network segmentation and firewall rules to limit exposure to authorized traffic

Generated by OpenCVE AI on April 3, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mygardyn
Mygardyn cloud Api
CPEs cpe:2.3:a:mygardyn:cloud_api:*:*:*:*:*:*:*:*
Vendors & Products Mygardyn
Mygardyn cloud Api

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Gardyn
Gardyn cloud Api
Vendors & Products Gardyn
Gardyn cloud Api

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description A specific administrative endpoint is accessible without proper authentication, exposing device management functions.
Title Gardyn Cloud API Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gardyn Cloud Api
Mygardyn Cloud Api
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-07T14:24:15.629Z

Reserved: 2026-03-17T20:12:55.166Z

Link: CVE-2026-32646

cve-icon Vulnrichment

Updated: 2026-04-07T14:24:10.728Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:11.137

Modified: 2026-04-22T18:26:46.607

Link: CVE-2026-32646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:16:32Z

Weaknesses