CVE-2026-55726
Publicly Listable Azure Blob Storage Container (device logs)
| CVE | CVE-2026-55726 |
|---|---|
| Advisory | CISA ICSA-26-183-03 (Gardyn IoT Hub) |
| Severity | Medium (5.3) |
| CVSS v3.1 vector (per CISA) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Weakness (CWE) | CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere |
| Affected components | Home/Studio Firmware <master.627; Cloud API <2.12.2026 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA | Per CISA, Gardyn states the IoT Hub deployed infrastructure has been updated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per CISA advisory ICSA-26-183-03 and the maintainer’s coordinated-disclosure repository, an Azure Blob Storage container holding device logs was publicly listable without authentication. The CVSS v3.1 vector recorded by CISA (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects an unauthenticated, network-reachable confidentiality exposure.
Relationship to CVE-2025-10681
Per the maintainer’s repository, this finding concerns unauthenticated listability of a device-log storage container and is distinct from CVE-2025-10681 in ICSA-26-055-03, which concerns a hardcoded Azure Blob Storage account key. See the CVE index.
Primary sources
- CISA ICSA-26-183-03
- CSAF JSON (CISA)
- NVD: CVE-2026-55726
- MITRE CVE Record: CVE-2026-55726
- Disclosure repository (ICSA-26-183-03)
- Per-CVE researcher repository
Mitigation per CISA
Per CISA ICSA-26-183-03 (July 2, 2026), Gardyn states that the IoT Hub deployed infrastructure has been updated to fix the listed vulnerabilities. See the CISA advisory and the how to update page.