CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository | Public Incident Site
Missing Authentication: User Account Endpoint
| Field | Value |
|---|---|
| CVE | CVE-2026-28766 |
| Severity | Critical (9.3) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N |
| Weakness (CWE) | CWE-306: Missing Authentication for Critical Function |
| Affected components | Cloud API <2.12.2026 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA Update A | Remediated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
Per the CISA advisory, an unauthenticated cloud API endpoint (/api/users) exposed records described in the advisory as "all user account information" for approximately 134,215 customers. Per the maintainer's coordinated-disclosure repository, the records included names, email addresses, phone numbers, and the last_four partial payment-card field.
A separately-cataloged single-record companion endpoint (/api/user/{id}, published as CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication, making the same user space enumerable one record at a time.
The maintainer's coordinated-disclosure repository documents that no authentication-level access logging existed on the affected endpoints during the exposure window; this is sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text.
- CISA ICSA-26-055-03 (Update A)
- NVD: CVE-2026-28766
- MITRE CVE Record: CVE-2026-28766
- Disclosure repository (parent case VU#653116) — see
cves/CVE-2026-28766.mdfor the contemporaneous evidence record - Public incident site
Per CISA Update A (April 2, 2026), this CVE is remediated. The fix versions stated by CISA are: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later.
Reported by Michael Groberman — Gr0m to CISA via CERT/CC VINCE Case VU#653116.