Vendor Public Statements: Discrepancies
Side-by-side of Gardyn’s customer-facing security update post against CISA advisory ICSA-26-055-03 and the maintainer’s coordinated-disclosure repository, plus changes observed in the post over time per Wayback Machine captures.
Source documents
| Gardyn statement (current) | mygardyn.com/blog/security-update/ |
|---|---|
| Wayback Machine capture index | web.archive.org/web/*/mygardyn.com/blog/security-update/ (captures Feb 24, 2026 – May 29, 2026; locally mirrored set in Item 10) |
| Federal advisory | CISA ICSA-26-055-03 (Update A) |
| Maintainer repository | github.com/MichaelAdamGroberman/ICSA-26-055-03 |
Item 1: Payment card data
Gardyn (paraphrased from FAQ): The FAQ section of the security update post states that the vulnerabilities did not expose payment card information, and that Gardyn does not store payment card information on Gardyn systems or applications.
CISA advisory (paraphrased): CVE-2026-28766 documents an unauthenticated endpoint that, in the advisory’s description, exposed “all user account information” for registered users. The advisory does not enumerate field names.
Maintainer repository (paraphrased): The records returned by the affected /api/users endpoint included names, email addresses, phone numbers, a partial payment-card field (last_four), not full card number or CVV, and (per the maintainer’s repository) the Azure IoT Hub iothubowner administrative credential in every record — for approximately 134,215 customers. See CVE-2026-28766 for the full field enumeration. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.
Item 2: Information at risk
Gardyn (paraphrased): In response to the FAQ question about what information could have been exposed, the post lists plant photos and limited demographic information comprising name, address, phone number, and email address.
Maintainer repository (paraphrased): The records returned by the affected /api/users endpoint also included a partial payment-card field (last_four), not full card number or CVV.
Item 3: Whether the incident is a “data breach”
Gardyn (paraphrased): In response to the FAQ question “Was this a data breach?”, the current post answers that based on its investigation to date, Gardyn has no evidence that customer personal information was accessed, acquired, or misused as a result of these vulnerabilities.
CISA advisory: The advisory does not adjudicate whether the incident constitutes a data breach under any particular statute. The advisory documents ten CVEs including unauthenticated endpoints exposing user account information.
Maintainer repository (paraphrased): Per the maintainer’s coordinated-disclosure repository, no authentication-level access logging existed on the affected endpoints during the exposure window. This claim is sourced to coordinated-disclosure correspondence in which the maintainer reported the gap and the vendor did not refute, and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, and not to the CISA advisory text.
Item 4: Researcher and dates
Gardyn (paraphrased): The post states that Gardyn worked with CISA as part of a coordinated vulnerability response and that the vulnerabilities were identified by a third-party security researcher. The post does not name the researcher, the date of initial vendor contact, or any subsequent dates.
CISA advisory: Credits Michael Groberman as the reporting researcher.
Maintainer repository (paraphrased): Initial vendor disclosure was October 14, 2025; CERT/CC engagement was December 11, 2025; the /api/users endpoint stopped responding to unauthenticated requests on December 18, 2025; the Azure IoT Hub administrative credential was rotated on January 22, 2026.
Item 5: Firmware fix version
Gardyn (paraphrased): The post directs customers to verify firmware version master.619 or later.
CISA Update A (paraphrased): The fix version stated in CISA Update A for the affected firmware is master.622.
Maintainer repository (paraphrased): CVE-2025-29631 is remediated in firmware master.622 (the version released after master.619).
Item 6: “Published” date changed after publication
Per Wayback Machine captures of https://mygardyn.com/blog/security-update/:
| Wayback capture date | “Published” date shown on page |
|---|---|
| February 24, 2026 | Published Feb 23, 2026 |
| February 25, 2026 | Published Feb 23, 2026 |
| March 9, 2026 | Published Feb 24, 2026 |
| April 2, 2026 onward | Published Feb 24, 2026 |
Per the same Wayback captures, the “Published” date displayed on the page was changed from Feb 23, 2026 to Feb 24, 2026 between Feb 25, 2026 and Mar 9, 2026.
Item 7: Page CVE list expansion lagged the stated revision date
Gardyn’s current post displays a header stating “Original publication date: 02/24/2026 / Revisions noted: 04/02/2026.” Per Wayback Machine captures of the page:
| Wayback capture date | Number of CVEs listed in the technical reference table | “Revisions noted” line present? |
|---|---|---|
| February 24 – February 25, 2026 | 4 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242) | No |
| March 9, 2026 | 4 (same four) | No |
| April 2, 2026 | 4 (same four) | No |
| April 25 – April 27, 2026 | 10 (the original four plus CVE-2025-10681, CVE-2026-25197, CVE-2026-28766, CVE-2026-28767, CVE-2026-32646, CVE-2026-32662) | Yes (“04/02/2026”) |
CISA published Update A (the expansion to 10 CVEs) on April 2, 2026. Per the Wayback captures above, the six additional CVEs were not present on Gardyn’s post in the April 2, 2026 capture and first appear in captures dated April 25, 2026 and later. Per the same captures, the line “Revisions noted: 04/02/2026” was added to the page during the same window.
Item 8: Wording changes between pre- and post-Update-A versions
Per Wayback Machine captures, the following wording changes appear between captures dated April 2, 2026 and April 25, 2026:
| Section | Pre-April-25 wording (paraphrased) | Post-April-25 wording (paraphrased) |
|---|---|---|
| “What we know today” bullet | The vulnerabilities did not expose financial or credit card information. | The vulnerabilities did not expose payment card information. |
| “What was potentially possible before remediation” | Access limited personal information (for example: name, address, phone number, email address). | Access limited demographic information (for example: name, address, phone number, email address). |
| FAQ “Was my credit card or payment information exposed?” | The vulnerabilities did not expose financial or credit card information. | The vulnerabilities did not expose payment card information. |
| FAQ “What information could have been exposed” | Plant photos and limited personal information such as name, address, phone number, and email address. | Plant photos and limited demographic information such as name, address, phone number, and email address. |
| FAQ “Was this a data breach?” | No evidence that customer data was accessed, acquired, or misused. | No evidence that customer personal information was accessed, acquired, or misused. |
Item 9: Detectability of access
Gardyn (paraphrased): Gardyn’s customer-facing security update post states that, based on the investigation to date, Gardyn has no evidence that customer personal information was accessed, acquired, or misused as a result of these vulnerabilities.
Maintainer’s repository (paraphrased): Per the maintainer’s coordinated-disclosure repository, no authentication-level access logging existed on the affected endpoints during the exposure window. This claim is sourced to coordinated-disclosure correspondence in which the maintainer reported the gap and the vendor did not refute, and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, and not to the CISA advisory text.
Forensic implication: When no access logging exists on an endpoint, unauthenticated access to that endpoint during the unlogged window is not observable in the vendor’s logs. A statement that there is no evidence of access is constrained by what could be observed; in the absence of logging, the absence of evidence is structural rather than substantive. The vendor’s “no evidence of access” claim and the documented absence of authentication-level access logging on the affected endpoints (sourced to coordinated-disclosure correspondence and to the 2026-01-27 Gardyn customer-support response to a Personal Information Access Request) are reproduced here without further characterization.
Item 10: Wayback Machine snapshot index for this page
The following Wayback Machine snapshots of https://mygardyn.com/blog/security-update/ are mirrored locally on this site under /captures/wayback/security-update/. Mirrors are not modified after fetch; SHA-256 hashes are recorded in the /captures/wayback/manifest.json file. The capture index spans February 24, 2026 through May 29, 2026 (twelve snapshots: eleven Wayback Machine captures and one direct maintainer fetch).
| Captured (UTC) | JSON-LD dateModified | Body “Last updated” | Added | Removed | Primary source | Local mirror | Size | SHA-256 (truncated) |
|---|---|---|---|---|---|---|---|---|
| 2026-03-09 02:54:06 UTC | 2026-03-02 14:04:53 UTC | — | “Published Feb 24, 2026” (see Item 6) | “Published Feb 23, 2026” (see Item 6) | archive.org | local copy | 796.6 KB | cd3f0aa315fb… |
| 2026-04-25 17:05:24 UTC | 2026-04-07 18:05:17 UTC | — |
|
| archive.org | local copy | 801.6 KB | e25a2717215d… |
What this site does not say
This site does not characterize Gardyn’s statements. It documents the public record on each side and links to primary sources. Wayback Machine captures are independently maintained by the Internet Archive and can be inspected at the calendar link above. If Gardyn or any party believes a statement on this page is inaccurate, see the correction process on the methodology page.