Gardyn Security Incident

← All CVEs

CVE-2026-54477

Admin Panel Missing Security Headers (clickjacking / XSS)

CVECVE-2026-54477
AdvisoryCISA ICSA-26-183-03 (Gardyn IoT Hub)
SeverityMedium (5.4)
CVSS v3.1 vector (per CISA)CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weakness (CWE)CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
Affected componentsHome/Studio Firmware <master.627; Cloud API <2.12.2026
VendorGardyn Inc.
Affected productsGardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0
SectorFood and Agriculture (CISA classification)
Status per CISAPer CISA, Gardyn states the IoT Hub deployed infrastructure has been updated
CoordinatorCERT/CC (parent case VU#653116) and CISA

What is documented

Per CISA advisory ICSA-26-183-03 and the maintainer’s coordinated-disclosure repository, the administrative panel served responses that lacked security headers, a condition documented as enabling clickjacking and cross-site scripting. The CVSS v3.1 vector recorded by CISA (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) reflects a network-reachable weakness that requires user interaction.

Primary sources

Mitigation per CISA

Per CISA ICSA-26-183-03 (July 2, 2026), Gardyn states that the IoT Hub deployed infrastructure has been updated to fix the listed vulnerabilities. See the CISA advisory and the how to update page.

← All CVEs