CVE-2026-28766
Missing Authentication: User Account Endpoint
| CVE | CVE-2026-28766 |
|---|---|
| Severity | Critical (9.3) |
| Weakness (CWE) | CWE-306: Missing Authentication for Critical Function |
| Affected components | Cloud API <2.12.2026 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA Update A | Remediated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per the CISA advisory, an unauthenticated cloud API endpoint (/api/users) exposed records described in the advisory as “all user account information.” Per the maintainer’s coordinated-disclosure repository, the response captured December 11, 2025 contained 134,215 user records, each including the fields enumerated below. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication. The maintainer’s coordinated-disclosure repository documents that no authentication-level access logging existed on the affected endpoints during the exposure window; this is sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text.
Fields returned in each record
Per the maintainer’s coordinated-disclosure repository, each of the 134,215 records returned by /api/users included the following fields. The advisory text describes the exposure as “all user account information” without enumerating fields; the enumeration below is sourced to evidence preserved by the maintainer (22 timestamped screenshots dated December 11, 2025, two of which captured the full 1.18 MB JSON response body).
| API field | Content | Category |
|---|---|---|
name | Full name | PII |
email | Email address | PII |
mobile | Phone number | PII |
last_four | Partial payment-card number (populated for paying members; null otherwise) | Partial financial data |
membership_type | Subscription tier | Account metadata |
expiration_date | Subscription expiration | Account metadata |
user_id | Internal user identifier (sequential integer) | Account metadata |
device_id | Internal device identifier | Device metadata |
hub_conn_string | Azure IoT Hub connection string with the iothubowner SharedAccessKey (the same administrative credential separately cataloged as CVE-2025-1242) | Administrative credential |
device_conn_string | Per-device IoT Hub connection string | Device credential |
timezone | User’s IANA timezone | Account metadata |
create_time | Account creation epoch timestamp | Account metadata |
Chained impact
The presence of the hub_conn_string field in every record means that the same single unauthenticated HTTP GET request that returned PII for 134,215 customers also returned the Azure IoT Hub administrative credential corresponding to CVE-2025-1242. Per Azure IoT Hub documentation, the iothubowner SharedAccessKey grants Service Connect, Device Connect, and Registry Read/Write permissions across the entire IoT Hub. Per the maintainer’s repository, this means an anonymous requester to /api/users obtained, in a single response: full PII for ~134,215 customers; the administrative credential controlling the production IoT Hub; and access sufficient to push OTA firmware updates to all registered devices, including bricking. The two CVEs (CVE-2026-28766 and CVE-2025-1242) are cataloged separately in the CISA advisory; per the maintainer’s repository, they were delivered through a single endpoint response and are not separately exploitable conditions in the captured evidence.
CVSS scoring observation
The CISA advisory scores CVE-2026-28766 at CVSS 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). Per the maintainer’s coordinated-disclosure repository, the inclusion of the hub_conn_string administrative credential in the response is consistent with higher Integrity and Availability impact than the L (Low) values currently scored, and arguably with a Scope change from U (Unchanged) to C (Changed) on the basis that the credential grants reach beyond the API server boundary into the IoT Hub and the registered device fleet. CVSS scoring is a CISA / NVD determination; this observation is preserved here as part of the public coordinated-disclosure record.
Primary sources
- CISA ICSA-26-055-03 (Update A)
- NVD: CVE-2026-28766
- MITRE CVE Record: CVE-2026-28766
- Disclosure repository
- Per-CVE researcher repository
Mitigation per CISA Update A
Per CISA Update A (April 2, 2026), this CVE is remediated. The fix versions stated by CISA are: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See the CISA advisory and the how to update page.