PatchSiren cyber security CVE debrief
CVE-2026-25197 Gardyn CVE debrief
CVE-2026-25197 is a high-severity access-control weakness in Gardyn’s ecosystem where the advisory says a specific endpoint can let users pivot to other user profiles by modifying the id number in an API call. CISA assigned a CVSS 3.1 score of 9.1 (Critical) and published the advisory on 2026-02-24, with Update A on 2026-04-02 adding this CVE and related mitigations. The safest takeaway is that this is an authorization boundary issue: any service or app path that relies on client-supplied object identifiers must be checked server-side before returning profile data or allowing actions.
- Vendor
- Gardyn
- Product
- <master.619
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-04-02
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-04-02
Who should care
Gardyn customers, fleet administrators, and security teams responsible for Gardyn Home/Studio firmware, the Gardyn mobile application, and the Gardyn Cloud API should treat this as a priority issue. It is especially relevant anywhere user profiles, device settings, or account-linked data are exposed through API endpoints that accept numeric identifiers.
Technical summary
The advisory’s description indicates an authorization flaw consistent with insecure direct object reference behavior: an endpoint accepts an id value, and modifying that value can switch the request context to another user profile. The source classifies the issue with CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N and CWE-639 in the reference set, which aligns with an access-control problem that can expose or alter another user’s data if server-side checks are insufficient. The supplied advisory materials also state that fixes were added in later Gardyn mobile app releases and recommend updating affected home kit and studio firmware to master.622 or later.
Defensive priority
Critical for exposed customer data and account boundary protection. Because the weakness is reachable over the network and maps to high confidentiality and integrity impact, remediation should be prioritized quickly across all affected Gardyn-managed environments.
Recommended defensive actions
- Update the Gardyn mobile application to the latest supported version.
- Upgrade Gardyn Home Kit and Studio devices to firmware master.622 or later, as recommended by Gardyn.
- Verify current app and firmware versions inside the Gardyn app and confirm all devices are on supported releases.
- Review API endpoints that take object IDs and enforce server-side authorization checks for every request, not just client-side filtering.
- Audit logs for unusual profile switching, cross-account reads, or changes involving mismatched user identifiers.
- Ensure devices remain connected so firmware updates can download automatically, or reconnect any offline devices to complete remediation.
Evidence notes
The source advisory text states: 'A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.' The supplied advisory metadata also lists CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N and references CWE-639. Update A on 2026-04-02 added CVE-2026-25197 and adjusted mitigations and affected product mappings.
Official resources
-
CVE-2026-25197 CVE record
CVE.org
-
CVE-2026-25197 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-24 and issued Update A on 2026-04-02, which added CVE-2026-25197 and updated mitigations and product associations. The supplied source does not indicate KEV listing or a known ransomware campaign.