Gardyn Security Incident
Independent documentation of CISA advisory ICSA-26-055-03 and the ten related CVEs affecting the Gardyn IoT platform.
What is documented in primary sources
Per CISA advisory ICSA-26-055-03 Update A (April 2, 2026), an unauthenticated cloud API endpoint exposed records described in the advisory as “all user account information” for approximately 134,215 customers (CVE-2026-28766). Per the maintainer’s coordinated-disclosure repository, the records returned by /api/users included names, email addresses, phone numbers, and a partial payment-card field (last_four), not full card number or CVV. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication. Per Gardyn’s customer-facing security update post, the vulnerabilities did not expose payment card information.
Side-by-side: vendor statements vs. CISA findings →
Where to go from here
About this site
This site documents the Gardyn IoT security incident publicly disclosed by CISA on February 24, 2026 and expanded to ten CVEs via Update A on April 2, 2026. CISA credits Michael Groberman as the reporting researcher in the advisory. Per the maintainer’s coordinated-disclosure repository, initial private disclosure to Gardyn was on October 14, 2025, made in his self-identified capacity as a Gardyn customer with technical knowledge whose own account record was among the records exposed; the “researcher” label was applied by CISA on February 24, 2026 with the publication of the advisory.
Every claim on this site links to a primary public record: the CISA advisory, the National Vulnerability Database, MITRE CVE records, the maintainer’s coordinated-disclosure repository, or Gardyn’s own customer-facing posts. The methodology page describes the sourcing standard.
The ten CVEs (by severity)
| CVE | Severity | Title (per researcher repository) |
|---|---|---|
| CVE-2026-28766 | Critical (9.3) | Missing Authentication: User Account Endpoint |
| CVE-2025-1242 | Critical (9.1) | Use of Hard-coded Credentials |
| CVE-2025-29631 | Critical (9.1) | OS Command Injection |
| CVE-2026-25197 | Critical (9.1) | Authorization Bypass via User-Controlled Key (IDOR) |
| CVE-2025-10681 | High (8.6) | Hardcoded Azure Blob Storage Account Key |
| CVE-2025-29628 | High (8.3) | Cleartext Transmission of Sensitive Information |
| CVE-2025-29629 | High (8.3) | Use of Default Credentials |
| CVE-2026-32646 | High (7.5) | Missing Authentication: Admin Device Management |
| CVE-2026-28767 | Medium (5.3) | Missing Authentication: Admin Notifications |
| CVE-2026-32662 | Medium (5.3) | Active Debug Code in Production |
Quick links
- Timeline — dated events from October 14, 2025 through CISA Update A
- Advisory hub — all 10 CVEs with primary-source links
- Discrepancies — vendor statements vs. CISA findings, side-by-side
- For customers — what was documented, jurisdiction-by-jurisdiction resources
- How to update your Gardyn device
- FAQ
- Glossary
- Coordinated disclosure process
- Press coverage
- Methodology