CVE-2026-13768
Privileged IoT Hub credential — fleet enumeration, device RCE, home-network pivot
| CVE | CVE-2026-13768 |
|---|---|
| Advisory | CISA ICSA-26-183-03 (Gardyn IoT Hub) |
| Severity | Critical (10.0) |
| CVSS v3.1 vector (per CISA) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L |
| Weakness (CWE) | CWE-798: Use of Hard-coded Credentials |
| Affected components | Home/Studio Firmware <master.627; Cloud API <2.12.2026 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA | Per CISA, Gardyn states the IoT Hub deployed infrastructure has been updated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per CISA advisory ICSA-26-183-03 and the maintainer’s coordinated-disclosure repository, an exposed privileged IoT Hub credential (the iothubowner-class administrative key) permitted unauthenticated access to invoke IoT Hub Registry Manager functions, retrieve device connection information, execute arbitrary commands on managed devices, and pivot across networks. Per CISA, successful exploitation could allow unauthenticated users to access and control IoT Hub managed devices. The advisory carries an overall CVSS v3 base score of 10.0.
Relationship to ICSA-26-055-03
Per the maintainer’s repository, the control-plane blast radius of the Chain 1 attack documented under ICSA-26-055-03 — CVE-2025-1242 (hardcoded iothubowner credential) combined with CVE-2025-29631 (command injection in upgrade()) — is separately cataloged in this companion advisory as CVE-2026-13768. See the CVE index and CVE-2025-1242.
Primary sources
- CISA ICSA-26-183-03
- CSAF JSON (CISA)
- NVD: CVE-2026-13768
- MITRE CVE Record: CVE-2026-13768
- Disclosure repository (ICSA-26-183-03)
- Per-CVE researcher repository
Mitigation per CISA
Per CISA ICSA-26-183-03 (July 2, 2026), Gardyn states that the IoT Hub deployed infrastructure has been updated to fix the listed vulnerabilities. Per CISA, users should ensure devices have internet connectivity so firmware updates apply automatically (firmware fix line master.627) and should update the mobile application. See the CISA advisory and the how to update page.