Development and test API endpoints that duplicate production functionality remain active in the Gardyn Cloud API. These debug interfaces provide privileged operations that can be invoked without proper authorization, potentially allowing an attacker to perform actions such as configuration changes or data retrieval that are normally restricted to authenticated users. The vulnerability is classified as CWE‑489, indicating insecure direct object reference. Although the description does not specify code execution, the exposed endpoints could lead to unauthorized manipulation of Gardyn devices and services.

The vulnerability affects the Gardyn Cloud API, the Gardyn mobile application, and the Gardyn Home firmware. Devices running any mobile app version prior to the latest release or firmware versions earlier than master.622 are potentially vulnerable. Gardyn recommends that users install the latest mobile application and upgrade home kit and studio devices to firmware master.622 or later to eliminate the exposed endpoints.

The CVSS score of 6.9 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely target the internet‑reachable API endpoints from external networks, assuming the device has network connectivity. The lack of a required authentication requirement in the description suggests that an unauthenticated attacker could exploit the debug API if it is publicly reachable, leading to unauthorized control or data exposure on affected Gardyn devices. Because EPSS data is unavailable, the precise likelihood of exploitation cannot be quantified, but the presence of exposed debug functionality raises a clear risk to device security.