Gardyn Security Incident

← All CVEs

CVE-2026-55726

Publicly Listable Azure Blob Storage Container (device logs)

CVECVE-2026-55726
AdvisoryCISA ICSA-26-183-03 (Gardyn IoT Hub)
SeverityMedium (5.3)
CVSS v3.1 vector (per CISA)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness (CWE)CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
Affected componentsHome/Studio Firmware <master.627; Cloud API <2.12.2026
VendorGardyn Inc.
Affected productsGardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0
SectorFood and Agriculture (CISA classification)
Status per CISAPer CISA, Gardyn states the IoT Hub deployed infrastructure has been updated
CoordinatorCERT/CC (parent case VU#653116) and CISA

What is documented

Per CISA advisory ICSA-26-183-03 and the maintainer’s coordinated-disclosure repository, an Azure Blob Storage container holding device logs was publicly listable without authentication. The CVSS v3.1 vector recorded by CISA (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects an unauthenticated, network-reachable confidentiality exposure.

Relationship to CVE-2025-10681

Per the maintainer’s repository, this finding concerns unauthenticated listability of a device-log storage container and is distinct from CVE-2025-10681 in ICSA-26-055-03, which concerns a hardcoded Azure Blob Storage account key. See the CVE index.

Primary sources

Mitigation per CISA

Per CISA ICSA-26-183-03 (July 2, 2026), Gardyn states that the IoT Hub deployed infrastructure has been updated to fix the listed vulnerabilities. See the CISA advisory and the how to update page.

← All CVEs