Timeline
Dated events sourced from CISA, NVD, the researcher’s coordinated-disclosure repository, and Gardyn’s own published posts.
| Date | Event | Source |
|---|---|---|
| October 14, 2025 | Initial researcher disclosure to Gardyn. Per the researcher’s repository, the disclosure included the mass PII exposure on /api/users (later assigned CVE-2026-28766). | Researcher repository |
| December 11, 2025 | Disclosure to CERT/CC (parent case VU#653116). Per the researcher’s repository, this was 58 days after initial vendor disclosure. | Researcher repository |
| December 18, 2025 | Per the researcher’s repository, the /api/users endpoint stopped returning data to unauthenticated requests on this date. | Researcher repository |
| January 19, 2026 | Firmware master.583 deployed (build date encoded in the version string master.583.20260119, per the researcher’s repository). | Researcher repository |
| January 22, 2026 | Per the researcher’s repository, the Azure IoT Hub administrative credential (iothubowner) was rotated on this date; the previously distributed key stopped working. | Researcher repository |
| February 24, 2026 | CISA publishes ICSA-26-055-03 (initial: 4 CVEs). Gardyn publishes mygardyn.com/blog/security-update/ the same day, announcing firmware master.619. | CISA / Gardyn |
| March 19, 2026 | Date listed as “Last updated” on Gardyn’s Privacy Policy at mygardyn.com/policy/privacy/. | Gardyn Privacy Policy |
| April 2, 2026 | CISA publishes Update A, expanding to ten CVEs. Added CVEs: CVE-2025-10681, CVE-2026-28766, CVE-2026-25197, CVE-2026-32646, CVE-2026-28767, CVE-2026-32662. Per CISA Update A and per the researcher’s repository, CVE-2025-29631 is remediated in firmware master.622 (the version released after master.619). | CISA / Researcher repository |
| April 2026 onward | Press coverage by SecurityWeek, Patrick Coyle, Cybersecurity News, Cyber Press, GBhackers, Cyber Technology Insights, BitNinja Security. See press coverage. | See press coverage |
| April 26, 2026 | This documentation site is published. | This site |
Key dates
- Initial vendor disclosure: October 14, 2025
- CERT/CC disclosure: December 11, 2025
- /api/users endpoint stops responding to unauthenticated requests: December 18, 2025
- iothubowner credential rotated: January 22, 2026
- CISA ICSA-26-055-03 initial publication: February 24, 2026
- CISA Update A: April 2, 2026
- Affected user records (per CVE-2026-28766): 134,215
- Registered devices (per researcher repository): 138,160+
Embargoed material
Communications conducted on the CERT/CC VINCE coordination platform, and pre-publication communications with the vendor and CISA, are subject to coordination embargoes and are not reproduced here. Where this timeline lists a date during the coordination window, only the date and the public outcome are stated.