CVE-2026-28766 Gardyn CVE debrief

Who should care

Gardyn users and anyone responsible for Gardyn-connected home or studio devices should treat this as urgent, especially if they rely on the Gardyn mobile app and cloud-connected services.

Technical summary

CISA’s CSAF advisory states that a specific endpoint can expose all user account information for registered Gardyn users without authentication. The advisory maps the issue to CWE-306 and lists affected products including Gardyn Home Firmware < master.619, Gardyn Studio Firmware, Gardyn Mobile Application < 2.11.0, and Gardyn Cloud API < 2.12.2026. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N, indicating a network-reachable issue with no auth barrier and high confidentiality impact.

Defensive priority

Immediate: apply vendor-recommended updates as soon as possible because the flaw allows unauthenticated access to user account data.

Recommended defensive actions

• Update the Gardyn mobile application to the latest supported version.
• Upgrade Gardyn Home and Gardyn Studio devices to firmware master.622 or later.
• Ensure the devices have network connectivity so firmware updates can download automatically.
• Check the current app and Home firmware versions in the Gardyn app.
• If updates cannot be applied, contact Gardyn support and follow the published security guidance.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-055-03 and its referenced official resources. The advisory description explicitly states that a specific endpoint exposes all user account information for registered Gardyn users without authentication. The advisory revision history shows initial publication on 2026-02-24 and Update A on 2026-04-02, which added CVE-2026-28766 and revised mitigations. Vendor attribution in the source is low-confidence and marked for review, so product naming should be treated carefully.

Official resources