CISA Advisory ICSA-26-055-03
All ten CVEs in CISA advisory ICSA-26-055-03, as updated April 2, 2026 (Update A). Each entry links to the canonical NVD record, MITRE CVE record, and per-CVE researcher repository where available.
The advisory
| Advisory | CISA ICSA-26-055-03 |
|---|---|
| Initial publication | February 24, 2026 (4 CVEs) |
| Update A | April 2, 2026 (10 CVEs) |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit (Models 1.0, 2.0, 3.0, 4.0), Gardyn Studio (Models 1.0, 2.0) |
| Affected versions | Mobile App <2.11.0; Cloud API <2.12.2026; Home Kit Firmware <master.622 |
| Sector | Food and Agriculture (CISA classification) |
| Registered devices (per researcher repository) | 138,160+ |
| User records (per CVE-2026-28766) | 134,215 |
| Researcher | Michael Groberman |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
| Status per CISA Update A | All ten CVEs remediated |
The ten CVEs
| CVE | Title | Severity |
|---|---|---|
| CVE-2026-28766 | Missing Authentication: User Account Endpoint | Critical (9.3) |
| CVE-2025-1242 | Use of Hard-coded Credentials | Critical (9.1) |
| CVE-2025-29631 | OS Command Injection | Critical (9.1) |
| CVE-2026-25197 | Authorization Bypass via User-Controlled Key (IDOR) | Critical (9.1) |
| CVE-2025-10681 | Hardcoded Azure Blob Storage Account Key | High (8.6) |
| CVE-2025-29628 | Cleartext Transmission of Sensitive Information | High (8.3) |
| CVE-2025-29629 | Use of Default Credentials | High (8.3) |
| CVE-2026-32646 | Missing Authentication: Admin Device Management | High (7.5) |
| CVE-2026-28767 | Missing Authentication: Admin Notifications | Medium (5.3) |
| CVE-2026-32662 | Active Debug Code in Production | Medium (5.3) |
Endpoints documented as not requiring authentication
Per CISA advisory ICSA-26-055-03 (Update A), the absence of authentication is documented across multiple endpoint categories spanning customer-facing data, administrative functions, and development/test endpoints:
- CVE-2026-28766 — /api/users (customer-facing data, approximately 134,215 records, CVSS 9.3)
- CVE-2026-32646 — /api/admin/devices (administrative function, CVSS 7.5)
- CVE-2026-28767 — /api/admin/notifications (administrative function, CVSS 5.3)
- CVE-2026-32662 — development/test endpoints reachable in production (CVSS 5.3)
Per the CISA advisory, the lack of authentication is documented as a property of multiple endpoints rather than an isolated finding.
Detectability of access during the exposure window
Per the maintainer’s coordinated-disclosure repository, no authentication-level access logging existed on the affected endpoints during the exposure window; this is sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text. When no access logging exists on an endpoint, unauthenticated access to that endpoint during the unlogged window is not observable in the vendor’s logs. See vendor public statements Item 9.
Attack chains documented in the maintainer’s repository
Per the maintainer’s repository, two attack chains are documented combining individual CVEs:
- Chain 1. CVE-2025-1242 (hardcoded iothubowner credential) plus CVE-2025-29631 (command injection in upgrade()) yields, per the repository, unauthenticated remote code execution as root on registered devices.
- Chain 2. CVE-2026-28766 (unauthenticated /api/users) and CVE-2026-25197 (IDOR on /api/user/{id}) together provide, per the repository, PII access for 134,215 user records, including names, email addresses, phone numbers, and a partial payment-card field (last_four), not full card number or CVV.
Disclosure timeline
Per the maintainer’s coordinated-disclosure repository, initial private vendor disclosure was on October 14, 2025, made by Michael Groberman in his self-identified capacity as a Gardyn customer with technical knowledge; CERT/CC was engaged on December 11, 2025 as an escalation after vendor silence. CISA published the initial advisory on February 24, 2026 with four CVEs and Update A on April 2, 2026 expanding to ten CVEs. See the full timeline and the coordinated disclosure process.
Primary sources
- CISA ICSA-26-055-03 (advisory and Update A)
- CSAF JSON (CISA)
- Maintainer repository (per-CVE writeups)
- CERT/CC VU#653116 record
- NVD and MITRE CVE: linked from each per-CVE page