Vendor Public Statements: Discrepancies
Side-by-side of Gardyn’s customer-facing security update post against CISA advisory ICSA-26-055-03 and the maintainer’s coordinated-disclosure repository, plus changes observed in the post over time per Wayback Machine captures.
Source documents
| Gardyn statement (current) | mygardyn.com/blog/security-update/ |
|---|---|
| Wayback Machine capture index | web.archive.org/web/*/mygardyn.com/blog/security-update/ (8 captures, Feb 24, 2026 – Apr 27, 2026) |
| Federal advisory | CISA ICSA-26-055-03 (Update A) |
| Maintainer repository | github.com/MichaelAdamGroberman/ICSA-26-055-03 |
Item 1: Payment card data
Gardyn (paraphrased from FAQ): The FAQ section of the security update post states that the vulnerabilities did not expose payment card information, and that Gardyn does not store payment card information on Gardyn systems or applications.
CISA advisory (paraphrased): CVE-2026-28766 documents an unauthenticated endpoint that, in the advisory’s description, exposed “all user account information” for registered users. The advisory does not enumerate field names.
Maintainer repository (paraphrased): The records returned by the affected /api/users endpoint included names, email addresses, phone numbers, physical addresses, and the last_four partial payment-card field for approximately 134,215 customers.
Item 2: Information at risk
Gardyn (paraphrased): In response to the FAQ question about what information could have been exposed, the post lists plant photos and limited demographic information comprising name, address, phone number, and email address.
Maintainer repository (paraphrased): The records returned by the affected /api/users endpoint also included the last_four partial payment-card field.
Item 3: Whether the incident is a “data breach”
Gardyn (paraphrased): In response to the FAQ question “Was this a data breach?”, the current post answers that based on its investigation to date, Gardyn has no evidence that customer personal information was accessed, acquired, or misused as a result of these vulnerabilities.
CISA advisory: The advisory does not adjudicate whether the incident constitutes a data breach under any particular statute. The advisory documents ten CVEs including unauthenticated endpoints exposing user account information.
Maintainer repository (paraphrased): Per the maintainer’s repository, the vendor stated to CISA that no access logging existed on the affected endpoints during the exposure window.
Item 4: Researcher and dates
Gardyn (paraphrased): The post states that Gardyn worked with CISA as part of a coordinated vulnerability response and that the vulnerabilities were identified by a third-party security researcher. The post does not name the researcher, the date of initial vendor contact, or any subsequent dates.
CISA advisory: Credits Michael Groberman as the reporting researcher.
Maintainer repository (paraphrased): Initial vendor disclosure was October 14, 2025; CERT/CC engagement was December 11, 2025; the /api/users endpoint stopped responding to unauthenticated requests on December 18, 2025; the Azure IoT Hub administrative credential was rotated on January 22, 2026.
Item 5: Firmware fix version
Gardyn (paraphrased): The post directs customers to verify firmware version master.619 or later.
CISA Update A (paraphrased): The fix version stated in CISA Update A for the affected firmware is master.622.
Maintainer repository (paraphrased): CVE-2025-29631 is remediated in firmware master.622 (the version released after master.619).
Item 6: “Published” date changed after publication
Per Wayback Machine captures of https://mygardyn.com/blog/security-update/:
| Wayback capture date | “Published” date shown on page |
|---|---|
| February 24, 2026 | Published Feb 23, 2026 |
| February 25, 2026 | Published Feb 23, 2026 |
| March 9, 2026 | Published Feb 24, 2026 |
| April 2, 2026 onward | Published Feb 24, 2026 |
Per the same Wayback captures, the “Published” date displayed on the page was changed from Feb 23, 2026 to Feb 24, 2026 between Feb 25, 2026 and Mar 9, 2026.
Item 7: Page CVE list expansion lagged the stated revision date
Gardyn’s current post displays a header stating “Original publication date: 02/24/2026 / Revisions noted: 04/02/2026.” Per Wayback Machine captures of the page:
| Wayback capture date | Number of CVEs listed in the technical reference table | “Revisions noted” line present? |
|---|---|---|
| February 24 – February 25, 2026 | 4 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242) | No |
| March 9, 2026 | 4 (same four) | No |
| April 2, 2026 | 4 (same four) | No |
| April 25 – April 27, 2026 | 10 (the original four plus CVE-2025-10681, CVE-2026-25197, CVE-2026-28766, CVE-2026-28767, CVE-2026-32646, CVE-2026-32662) | Yes (“04/02/2026”) |
CISA published Update A (the expansion to 10 CVEs) on April 2, 2026. Per the Wayback captures above, the six additional CVEs were not present on Gardyn’s post in the April 2, 2026 capture and first appear in captures dated April 25, 2026 and later. Per the same captures, the line “Revisions noted: 04/02/2026” was added to the page during the same window.
Item 8: Wording changes between pre- and post-Update-A versions
Per Wayback Machine captures, the following wording changes appear between captures dated April 2, 2026 and April 25, 2026:
| Section | Pre-April-25 wording (paraphrased) | Post-April-25 wording (paraphrased) |
|---|---|---|
| “What we know today” bullet | The vulnerabilities did not expose financial or credit card information. | The vulnerabilities did not expose payment card information. |
| “What was potentially possible before remediation” | Access limited personal information (for example: name, address, phone number, email address). | Access limited demographic information (for example: name, address, phone number, email address). |
| FAQ “Was my credit card or payment information exposed?” | The vulnerabilities did not expose financial or credit card information. | The vulnerabilities did not expose payment card information. |
| FAQ “What information could have been exposed” | Plant photos and limited personal information such as name, address, phone number, and email address. | Plant photos and limited demographic information such as name, address, phone number, and email address. |
| FAQ “Was this a data breach?” | No evidence that customer data was accessed, acquired, or misused. | No evidence that customer personal information was accessed, acquired, or misused. |
Item 9: Detectability of access
Gardyn (paraphrased): Gardyn’s customer-facing security update post states that, based on the investigation to date, Gardyn has no evidence that customer personal information was accessed, acquired, or misused as a result of these vulnerabilities.
Maintainer’s repository (paraphrased): Per the maintainer’s repository, the vendor stated to CISA that no access logging existed on the affected endpoints during the exposure window.
Forensic implication: When no access logging exists on an endpoint, unauthenticated access to that endpoint during the unlogged window is not observable in the vendor’s logs. A statement that there is no evidence of access is constrained by what could be observed; in the absence of logging, the absence of evidence is structural rather than substantive. The vendor’s “no evidence of access” claim and the vendor’s “no logging existed” statement to CISA are reproduced here without further characterization.
What this site does not say
This site does not characterize Gardyn’s statements. It documents the public record on each side and links to primary sources. Wayback Machine captures are independently maintained by the Internet Archive and can be inspected at the calendar link above. If Gardyn or any party believes a statement on this page is inaccurate, see the correction process on the methodology page.