For Gardyn Customers
What is documented in CISA advisory ICSA-26-055-03 and the maintainer’s coordinated-disclosure repository regarding Gardyn customer accounts.
What is documented
Per CISA advisory ICSA-26-055-03 Update A (April 2, 2026), an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records described in the advisory as “all user account information” for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each record returned by the bulk /api/users endpoint enumerated twelve fields (full enumeration on the CVE-2026-28766 page):
- Personally identifiable information: full
name,email, andmobilephone number - Partial payment-card field (
last_four) — not full card number or CVV; null for non-paying members - Account metadata: subscription tier, expiration date, internal sequential
user_id, IANA timezone, and account creation timestamp - Device identifiers:
device_idand a per-device IoT Hubdevice_conn_string - An Azure IoT Hub administrative credential:
hub_conn_stringcontaining theiothubownerSharedAccessKey, separately cataloged as CVE-2025-1242. Per Azure IoT Hub documentation, this credential grants Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub controlling the registered device fleet.
A separately-cataloged single-record companion endpoint (/api/user/{id}, published as CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication, making the same user space enumerable one record at a time.
Per Gardyn’s customer-facing security update post (mygardyn.com/blog/security-update/), the vulnerabilities did not expose payment card information. The vendor’s description of information at risk lists plant photos and limited demographic information comprising name, address, phone number, and email; the vendor list does not include partial payment card data.
The two descriptions do not reconcile. See the discrepancies page for the side-by-side with primary-source links.
Status per CISA
Per CISA Update A, all ten CVEs in ICSA-26-055-03 are remediated. Customer-side fixes per CISA: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See how to update your device.
Resources by jurisdiction
The pages below summarize publicly documented resources for residents of each jurisdiction. They are not legal advice. For legal advice specific to your situation, consult an attorney licensed in your jurisdiction.
- California (CCPA / CPRA)
- New York (SHIELD Act, GBL § 349)
- New Jersey (N.J.S.A. 56:8-163, NJCFA)
- Massachusetts (201 CMR 17.00, Chapter 93A)
- Illinois (PIPA, Consumer Fraud Act)
- Texas (Identity Theft Enforcement Act, DTPA)
EU/UK/EEA residents
Residents of the EU, United Kingdom, and European Economic Area may have rights under the EU GDPR or UK GDPR, including the right to be informed of a personal data breach affecting them. Complaints can be filed with a national Data Protection Authority. The supervisory authority for cross-border processing depends on where the data controller is established within the EU.
U.S. federal options (any state)
- Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
- Identity theft recovery resources at identitytheft.gov.
- Free fraud alerts and credit freezes are available with the three U.S. credit bureaus (Equifax, Experian, TransUnion).
If you held a Gardyn account during the affected period
Per CVE-2026-28766, the affected endpoint exposed records for approximately 134,215 customers. The site maintainer cannot confirm whether any individual record was within scope and does not retain any data drawn from the exposure. Holders of Gardyn accounts can independently verify whether they held an account during the affected period by reviewing their email archives for Gardyn correspondence.