Frequently Asked Questions
About CISA advisory ICSA-26-055-03.
What is CISA advisory ICSA-26-055-03?
CISA ICSA-26-055-03 is a Cybersecurity and Infrastructure Security Agency advisory published on February 24, 2026 and updated on April 2, 2026 (Update A) documenting ten CVEs affecting the Gardyn Home Kit and Gardyn Studio IoT platform.
How many Gardyn customers are referenced in the advisory?
Per CVE-2026-28766 in the CISA advisory, the affected unauthenticated endpoint exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, 138,160+ devices were registered at the time of disclosure.
What does the advisory say about payment card data?
The CISA advisory describes CVE-2026-28766 as exposure of “all user account information” without enumerating field names. Per the maintainer’s coordinated-disclosure repository, the records returned by the affected endpoint included a partial payment-card field (last_four), not full card number or CVV. Per Gardyn’s customer-facing security update post (mygardyn.com/blog/security-update/), the vulnerabilities did not expose payment card information. See the discrepancies page.
What does CISA say about remediation?
Per CISA Update A, all ten CVEs in the advisory are remediated. Per CISA, the fix versions are mobile application 2.11.0 or later, cloud API 2.12.2026 or later, and Home Kit firmware master.622 or later. Gardyn’s customer-facing post stated firmware master.619; per CISA Update A, master.622 is the version in which CVE-2025-29631 is remediated. See how to update.
How can I tell if my data was within scope?
Per CVE-2026-28766, the affected endpoint exposed records for approximately 134,215 customers. The site maintainer cannot confirm any individual record and does not retain any data drawn from the exposure. A Gardyn account-holder can independently verify whether they held an account during the affected period by reviewing their email archives for Gardyn correspondence.
Can the vendor know whether customer data was actually accessed?
Per the maintainer’s coordinated-disclosure repository, no authentication-level access logging existed on the affected endpoints during the exposure window (sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text). As a forensic matter, when no access logging exists on an endpoint, unauthenticated access to that endpoint during the unlogged window is not observable in the vendor’s logs. A statement that there is no evidence of access is constrained by what could be observed; in the absence of logging, the absence of evidence is structural rather than substantive. Gardyn’s customer-facing post states that, based on the investigation to date, there is no evidence that customer personal information was accessed; this site reproduces both that statement and the prior statement to CISA without further characterization. See vendor public statements Item 9.
How many endpoints in the advisory required no authentication?
Per CISA advisory ICSA-26-055-03 (Update A), the absence of authentication is documented across multiple endpoint categories: CVE-2026-28766 on /api/users (customer-facing data, approximately 134,215 records), CVE-2026-32646 on /api/admin/devices (administrative function), CVE-2026-28767 on /api/admin/notifications (administrative function), and CVE-2026-32662 covering development and test endpoints reachable in production. Per the CISA advisory, the lack of authentication is documented as a property of multiple endpoints across customer, administrative, and dev/test scopes.
What does CISA recommend for customers?
Per CISA Update A, customer-side remediation is to ensure the mobile app, cloud API client, and device firmware are at the fix versions stated in the advisory. Per CISA, general guidance for IoT devices includes minimizing internet exposure, placing devices behind a firewall, and using updated VPN software for remote access where required. See For Customers and how to update.
Who is credited as the researcher?
The CISA advisory credits Michael Groberman (handle: Gr0m) as the reporting researcher for the coordinated disclosure of the ten CVEs. Per the maintainer’s coordinated-disclosure repository, throughout the disclosure period (October 14, 2025 through February 23, 2026) Michael Groberman self-identified to Gardyn and to CERT/CC as a Gardyn customer with technical knowledge, and did not adopt the “security researcher” label during that period. The “researcher” label was applied by CISA in advisory ICSA-26-055-03 published February 24, 2026; Mr. Groberman has worked publicly as a security researcher since that publication. Per the same repository, three of the original four CVEs (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631) were originally disclosed by mselbrede in February 2025; the current advisory cites that prior work.
In what capacity was the original disclosure made?
Per the maintainer’s repository, the October 14, 2025 disclosure to Gardyn and the December 11, 2025 escalation to CERT/CC were both made by Michael Groberman in his self-identified capacity as a Gardyn customer with technical knowledge. Standing was first-person: the records returned by the affected /api/users endpoint included the discloser’s own Gardyn customer account record, and the device on which unauthenticated remote code execution was demonstrated was a Gardyn device the discloser owned. Throughout the entire disclosure period (October 14, 2025 through February 23, 2026), the discloser consistently identified himself as a customer and did not adopt the “researcher” label. The “researcher” designation was applied by CISA on February 24, 2026 with the publication of advisory ICSA-26-055-03.
When did the disclosure to Gardyn happen?
Per the maintainer’s coordinated-disclosure repository, initial private disclosure to Gardyn was on October 14, 2025. That initial disclosure covered both the unauthenticated PII exposure on /api/users (later assigned CVE-2026-28766), with the discloser’s own Gardyn customer account record among the records returned by the affected endpoint, and unauthenticated remote code execution on a Gardyn device the discloser owned (later assigned CVE-2025-29631 in combination with CVE-2025-1242). The disclosure was made in the discloser’s self-identified capacity as a Gardyn customer with technical knowledge.
Was the disclosure coordinated?
Per the maintainer’s repository, initial private vendor disclosure was October 14, 2025 and covered the unauthenticated PII exposure (later CVE-2026-28766), with the discloser’s own Gardyn customer account record providing first-person standing, and unauthenticated remote code execution on a Gardyn device the discloser owned (CVE-2025-29631 in combination with CVE-2025-1242). CERT/CC engagement (parent case VU#653116) on December 11, 2025 was an escalation after 58 days of vendor silence on the October 14 disclosure, not the first mention of the PII issue. Both stages were carried out in the discloser’s self-identified capacity as a Gardyn customer with technical knowledge. CISA published the initial advisory on February 24, 2026. See the coordinated disclosure process page.
Is this site affiliated with Gardyn?
No. This site is independent documentation of CISA advisory ICSA-26-055-03. It is not affiliated with, endorsed by, or sponsored by Gardyn Inc. “Gardyn” is used solely as nominative reference for identification.
How can journalists or researchers contact the maintainer?
See the press kit and the contact page. PGP and Signal are available on request.
How do I submit a correction?
Email corrections@gardyn-security-incident.info. Corrections are welcomed and processed with a dated correction-log entry per the methodology.
What does CVSS 9.3 mean?
CVSS (Common Vulnerability Scoring System) is a standardized severity score from 0.0 to 10.0. Scores from 9.0 to 10.0 are categorized as Critical. The score 9.3 reflects the specific metric values of the CVSS vector for that CVE; full vector strings are on each per-CVE page. See the glossary.
Is this a data breach under state law?
That is a fact-specific legal question that varies by jurisdiction. State breach-notification statutes apply different definitions; some statutes condition the notification trigger on a finding that data was acquired by an unauthorized person, and others on whether such acquisition is reasonably believed to have occurred. Gardyn’s customer-facing security update post characterizes the incident as not a data breach. Per the maintainer’s repository, no authentication-level access logging existed on the affected endpoints during the exposure window (sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text), which is a fact relevant to any jurisdiction-specific analysis of detectability. The CISA advisory documents ten CVEs but does not adjudicate state-law breach status. See the For Customers page for jurisdiction-specific resources.
Why does the timeline list vendor actions in December 2025 and January 2026?
Per the maintainer’s coordinated-disclosure repository, the /api/users endpoint stopped returning data to unauthenticated requests on December 18, 2025, and the Azure IoT Hub iothubowner administrative credential was rotated on January 22, 2026. These are dates on which observable changes in vendor infrastructure occurred during the coordination window prior to public CISA publication. See the coordinated disclosure process page.
Submit a question
Email contact@gardyn-security-incident.info. For press, use press@gardyn-security-incident.info. For corrections, use corrections@gardyn-security-incident.info.