PatchSiren cyber security CVE debrief
CVE-2026-28767 Gardyn CVE debrief
CVE-2026-28767 affects Gardyn Home Kit-related products and describes an administrative notifications endpoint that is accessible without proper authentication. CISA published the advisory on 2026-02-24 and later added this CVE in Update A on 2026-04-02. The supplied CVSS vector indicates a network-reachable issue with no privileges or user interaction required and low confidentiality impact.
- Vendor
- Gardyn
- Product
- <master.619
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-04-02
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-04-02
Who should care
Owners and administrators of Gardyn Home/Studio devices, the Gardyn mobile application, and the Gardyn Cloud API; defenders responsible for Internet-connected IoT or home-automation devices; teams validating firmware and app update posture.
Technical summary
The CISA CSAF advisory states that a specific administrative endpoint, "notifications," is accessible without proper authentication. The supplied scoring context is CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, which means the issue can be reached over the network without prior access or user action and is characterized as a confidentiality-only exposure. CISA’s mitigation guidance says the relevant fixes are in the latest Gardyn mobile application, that users can check current app and home firmware versions in the app, and that home kit and studio devices should be upgraded to firmware master.622 or later.
Defensive priority
Moderate to high. The issue is unauthenticated and network-reachable, so exposed deployments should be prioritized even though the stated impact is limited.
Recommended defensive actions
- Update the Gardyn mobile application to the latest supported version.
- Upgrade Gardyn Home Kit and Studio devices to firmware master.622 or later.
- Verify the current app and device firmware versions in the Gardyn app and remediate any out-of-date systems first.
- Ensure affected devices have working Internet connectivity so required firmware updates can download automatically.
- Limit exposure of administrative interfaces to trusted networks and follow CISA ICS defense-in-depth guidance for segmentation and access control.
- Monitor for unexpected access to administrative endpoints, including the notifications endpoint, and investigate anomalous requests.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-055-03 (raw JSON source) and its revision history. The advisory description explicitly says the notifications administrative endpoint is accessible without proper authentication, and the notes include SSVCv2/E:N/A:Y/2026-03-31T05:00:00.000000Z. The update on 2026-04-02 added CVE-2026-28767 to the advisory and updated mitigations to recommend firmware master.622 or later plus the latest supported Gardyn mobile app. Product naming in the source is inconsistent/aggregated, so affected-product normalization should be reviewed before internal ticketing.
Official resources
-
CVE-2026-28767 CVE record
CVE.org
-
CVE-2026-28767 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-055-03 on 2026-02-24 and issued Update A on 2026-04-02, at which point CVE-2026-28767 was included in the advisory revision history. The supplied source does not include exploit code or confirmed exploitation.