CVE-2026-54477
Admin Panel Missing Security Headers (clickjacking / XSS)
| CVE | CVE-2026-54477 |
|---|---|
| Advisory | CISA ICSA-26-183-03 (Gardyn IoT Hub) |
| Severity | Medium (5.4) |
| CVSS v3.1 vector (per CISA) | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| Weakness (CWE) | CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax |
| Affected components | Home/Studio Firmware <master.627; Cloud API <2.12.2026 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA | Per CISA, Gardyn states the IoT Hub deployed infrastructure has been updated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per CISA advisory ICSA-26-183-03 and the maintainer’s coordinated-disclosure repository, the administrative panel served responses that lacked security headers, a condition documented as enabling clickjacking and cross-site scripting. The CVSS v3.1 vector recorded by CISA (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) reflects a network-reachable weakness that requires user interaction.
Primary sources
- CISA ICSA-26-183-03
- CSAF JSON (CISA)
- NVD: CVE-2026-54477
- MITRE CVE Record: CVE-2026-54477
- Disclosure repository (ICSA-26-183-03)
- Per-CVE researcher repository
Mitigation per CISA
Per CISA ICSA-26-183-03 (July 2, 2026), Gardyn states that the IoT Hub deployed infrastructure has been updated to fix the listed vulnerabilities. See the CISA advisory and the how to update page.