For Gardyn Customers

What is documented in CISA advisory ICSA-26-055-03 and the researcher’s coordinated-disclosure repository regarding Gardyn customer accounts.

What is documented

Per CISA advisory ICSA-26-055-03 Update A (April 2, 2026), an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records described in the advisory as “all user account information” for approximately 134,215 customers. Per the researcher’s coordinated-disclosure repository, those records included:

• Full name
• Email address
• Physical address
• Phone number
• Last four digits of payment card (last_four field)

Per Gardyn’s customer-facing security update post (mygardyn.com/blog/security-update/), the vulnerabilities did not expose payment card information. The vendor’s description of information at risk lists plant photos and limited demographic information comprising name, address, phone number, and email; the vendor list does not include partial payment card data.

The two descriptions do not reconcile. See the discrepancies page for the side-by-side with primary-source links.

Status per CISA

Per CISA Update A, all ten CVEs in ICSA-26-055-03 are remediated. Customer-side fixes per CISA: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See how to update your device.

Resources by jurisdiction

The pages below summarize publicly documented resources for residents of each jurisdiction. They are not legal advice. For legal advice specific to your situation, consult an attorney licensed in your jurisdiction.

• California (CCPA / CPRA)
• New York (SHIELD Act, GBL § 349)
• Massachusetts (201 CMR 17.00, Chapter 93A)
• Illinois (PIPA, Consumer Fraud Act)
• Texas (Identity Theft Enforcement Act, DTPA)

EU/UK/EEA residents

Residents of the EU, United Kingdom, and European Economic Area may have rights under the EU GDPR or UK GDPR, including the right to be informed of a personal data breach affecting them. Complaints can be filed with a national Data Protection Authority. The supervisory authority for cross-border processing depends on where the data controller is established within the EU.

U.S. federal options (any state)

• Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
• Identity theft recovery resources at identitytheft.gov.
• Free fraud alerts and credit freezes are available with the three U.S. credit bureaus (Equifax, Experian, TransUnion).

If you held a Gardyn account during the affected period

Per CVE-2026-28766, the affected endpoint exposed records for approximately 134,215 customers. The site maintainer cannot confirm whether any individual record was within scope and does not retain any data drawn from the exposure. Holders of Gardyn accounts can independently verify whether they held an account during the affected period by reviewing their email archives for Gardyn correspondence.

Related pages on this site

• How to update your Gardyn device
• Frequently asked questions
• Glossary of security terms
• Timeline of the disclosure