Timeline
Dated events sourced from CISA, NVD, the maintainer’s coordinated-disclosure repository, and Gardyn’s own published posts.
| Date | Event | Source |
|---|---|---|
| October 14, 2025 | Initial private disclosure to Gardyn, made in dual capacity (researcher and consumer): the discloser’s own account record was visible in the unauthenticated /api/users response, providing direct standing as an affected data subject in addition to his capacity as the discovering researcher. Per the maintainer’s repository, the disclosure included: (a) the unauthenticated PII exposure on /api/users (later assigned CVE-2026-28766); and (b) unauthenticated remote code execution on a Gardyn device that the discloser owned (later assigned CVE-2025-29631, in combination with CVE-2025-1242). |
Maintainer repository |
| December 11, 2025 | Disclosure to CERT/CC (parent case VU#653116) following vendor silence on the October 14 disclosure. Per the maintainer’s repository, this engagement was an escalation, made in the same dual capacity (researcher and consumer), after no substantive vendor response to the initial disclosure 58 days earlier; the PII exposure (later CVE-2026-28766) had been disclosed to Gardyn since October 14, 2025. | Maintainer repository |
| December 18, 2025 | Per the maintainer’s repository, the /api/users endpoint stopped returning data to unauthenticated requests on this date. |
Maintainer repository |
| January 19, 2026 | Filed Personal Information Access Request (PIAR) with Gardyn Inc. as a Gardyn customer requesting disclosure of personal data held under the operative privacy policy then in effect. Consumer-capacity action. | Maintainer repository |
| January 19, 2026 | Firmware master.583 deployed (build date encoded in the version string master.583.20260119, per the maintainer’s repository). | Maintainer repository |
| January 22, 2026 | Per the maintainer’s repository, the Azure IoT Hub administrative credential (iothubowner) was rotated on this date; the previously distributed key stopped working. |
Maintainer repository |
| January 27, 2026 | Gardyn customer support responded in writing to the January 19, 2026 PIAR. Among the representations: “we do not maintain or generate user-facing logs that track individual access events”; that personal information is not shared outside Gardyn; that telemetry is used solely for device functionality and diagnostics; that the customer’s Wi-Fi password is not viewable by Gardyn staff; and that Gardyn does not have access to the customer’s full credit card information. Several of these representations are independently in tension with the published privacy policy and/or with the CISA advisory’s documented exposure of the last_four partial payment-card field. Personal name of the responding agent redacted. Consumer-capacity action. |
Maintainer repository |
| February 24, 2026 | CISA publishes ICSA-26-055-03 (initial: 4 CVEs), crediting Michael Groberman as the reporting researcher. Gardyn publishes mygardyn.com/blog/security-update/ the same day, announcing firmware master.619. The discloser is publicly named as the reporting researcher with this publication; the prior vendor disclosure (October 14, 2025) and CERT/CC escalation (December 11, 2025) were taken in dual capacity (researcher and consumer). | CISA / Gardyn |
| March 19, 2026 | Date listed as “Last updated” on Gardyn’s Privacy Policy at mygardyn.com/policy/privacy/. | Gardyn Privacy Policy |
| April 2, 2026 | CISA publishes Update A, expanding to ten CVEs. Added CVEs: CVE-2025-10681, CVE-2026-28766, CVE-2026-25197, CVE-2026-32646, CVE-2026-28767, CVE-2026-32662. Per CISA Update A and per the maintainer’s repository, CVE-2025-29631 is remediated in firmware master.622 (the version released after master.619). | CISA / Maintainer repository |
| April 2026 onward | Press coverage by SecurityWeek, Patrick Coyle, Cybersecurity News, Cyber Press, GBhackers, Cyber Technology Insights, BitNinja Security. See press coverage. | See press coverage |
| April 26, 2026 | This documentation site is published. | This site |
Capacity in which the disclosure was made
Per the maintainer’s repository, the October 14, 2025 disclosure to Gardyn and the December 11, 2025 escalation to CERT/CC were both made in dual capacity (researcher and consumer): the discloser’s own account record was visible in the unauthenticated /api/users response (CVE-2026-28766), so the report to the vendor and to CERT/CC and CISA is the conduct of an affected Gardyn customer who is also the discovering researcher, not third-party-researcher conduct on behalf of unrelated data subjects. CISA publicly credits Michael Groberman as the reporting researcher with the publication of ICSA-26-055-03 on February 24, 2026. Data-rights and regulatory filings (Personal Information Access Request submitted January 19, 2026; NJDPA right-to-know request; NJ Division of Consumer Affairs complaint) are consumer-only.
Key dates
- Initial private vendor disclosure (dual capacity — researcher and consumer): October 14, 2025
- CERT/CC escalation after vendor silence (dual capacity — researcher and consumer): December 11, 2025 (58 days after initial disclosure)
/api/usersendpoint stops responding to unauthenticated requests: December 18, 2025- Personal Information Access Request (PIAR) filed with Gardyn (consumer-only): January 19, 2026
iothubownercredential rotated: January 22, 2026- Gardyn customer-support response to PIAR (consumer-only): January 27, 2026
- CISA ICSA-26-055-03 initial publication (CISA names discloser as reporting researcher): February 24, 2026
- CISA Update A: April 2, 2026
- Affected user records (per CVE-2026-28766): 134,215
- Registered devices (per maintainer repository): 138,160+
Embargoed material
Communications conducted on the CERT/CC VINCE coordination platform, and pre-publication communications with the vendor and CISA, are subject to coordination embargoes and are not reproduced here. Where this timeline lists a date during the coordination window, only the date and the public outcome are stated.