Gardyn Security Incident

Independent documentation of CISA advisory ICSA-26-055-03 and ten related CVEs affecting the Gardyn IoT platform.

10CVEs disclosed

134,215user records exposed

CVSS 9.3CVE-2026-28766

CISAconfirmed advisory

Public record discrepancy

Per CISA advisory ICSA-26-055-03 Update A (April 2–4, 2026), an unauthenticated cloud API endpoint exposed records for approximately 134,215 customers. Per the researcher's coordinated-disclosure repository, those records included names, email addresses, phone numbers, physical addresses, and a partial payment card field. The vendor's customer-facing security update post characterizes the exposed information as plant photos and limited demographic data and states that payment card information was not exposed.

See the side-by-side comparison →

Where to go from here

I’m a Gardyn customerWhat was exposed, and what you can do I’m a journalistPress kit, on-the-record contact, source materials I’m a researcherPer-CVE technical detail, GitHub repository

What this site is

This site documents the Gardyn IoT security incident publicly disclosed by CISA on February 24, 2026 and expanded to ten CVEs via Update A on April 2–4, 2026. The original disclosure was made by independent security researcher Michael Groberman, who first contacted Gardyn directly in October 2025, before federal coordination began.

All claims on this site are sourced from primary public records: the CISA advisory, the National Vulnerability Database, MITRE CVE records, and Gardyn's own customer-facing posts. Source links are provided on every page. The methodology page describes how evidence is collected and preserved.

This is not a legal claim. It is a documentary record. Readers are invited to draw their own conclusions from the cited sources.

The ten CVEs

CVE	Severity	Issue
CVE-2026-28766	Critical (9.3)	Unauthenticated /api/users endpoint exposing 134,215 user records
CVE-2025-1242	Critical	Hard-coded Azure IoT Hub administrative credential
CVE-2025-29631	Critical	Command injection in device upgrade routine
CVE-2026-28767	Critical	Administrative endpoints accessible without authentication
CVE-2026-32646	Critical	Additional administrative endpoints accessible without authentication
CVE-2025-10681	High	Hard-coded storage credentials in mobile app and firmware
CVE-2025-29628	High	Insecure HTTP download of IoT Hub connection string
CVE-2025-29629	High	Use of weak default credentials for SSH access
CVE-2026-25197	High	Authenticated authorization bypass on /api/user/{id}
CVE-2026-32662	High	Development endpoints exposed in production without authentication

Quick links

Authoritative timeline — from October 2025 first contact through CISA Update A
Advisory hub — all 10 CVEs with plain-English summaries
Public record discrepancies — what the vendor said vs. what CISA documented
For customers — what was exposed, your rights, what to do
How to update your Gardyn device
Frequently asked questions
Glossary — CVSS, CISA, CWE, and other terms in plain English
Coordinated disclosure process
Press coverage
Methodology — sourcing standards and chain of custody