PatchSiren cyber security CVE debrief
CVE-2026-32646 Gardyn CVE debrief
CVE-2026-32646 is a HIGH-severity authentication bypass issue in Gardyn’s ecosystem. CISA’s advisory says a specific administrative endpoint is accessible without proper authentication, which exposes device management functions. The advisory was first published on 2026-02-24 and updated on 2026-04-02 with added vulnerabilities and revised mitigations.
- Vendor
- Gardyn
- Product
- <master.619
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-04-02
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-04-02
Who should care
Owners and administrators of Gardyn Home Kit and Studio devices, especially environments using the Gardyn mobile application and cloud-connected services. Security teams should also pay attention if these devices are internet-reachable or centrally managed.
Technical summary
The advisory describes an unauthenticated administrative endpoint exposure. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, consistent with network-reachable access and high confidentiality impact, while integrity and availability impacts are not asserted in the source. The source notes also include SSVCv2/E:N/A:Y/2026-03-31T05:00:00.000000Z. CISA’s update lists affected Gardyn Home firmware, Gardyn Studio firmware, the Gardyn mobile application, and the Gardyn Cloud API in the advisory metadata, and recommends updated firmware/app versions as mitigation.
Defensive priority
High — prioritize patching and validating that only supported, current Gardyn app/firmware versions are in use.
Recommended defensive actions
- Update the Gardyn home kit and studio devices to firmware master.622 or later, per the advisory.
- Update the Gardyn mobile application to the most recent supported version.
- Verify the current app and home firmware versions from within the Gardyn app.
- Ensure devices have network connectivity so required firmware updates can be automatically downloaded and applied.
- Review access to Gardyn-connected devices and services for any unnecessary exposure, especially from untrusted networks.
- Monitor the CISA advisory and Gardyn security guidance for any further mitigation changes.
Evidence notes
CISA’s CSAF advisory ICSA-26-055-03 (CVE-2026-32646) states: “A specific administrative endpoint is accessible without proper authentication, exposing device management functions.” The advisory was initially published on 2026-02-24 and updated on 2026-04-02 (“Update A”). The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which matches the listed score of 7.5 (High). The source corpus also includes an SSVCv2 note: E:N/A:Y/2026-03-31T05:00:00.000000Z. No KEV listing is indicated in the provided data.
Official resources
-
CVE-2026-32646 CVE record
CVE.org
-
CVE-2026-32646 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-26-055-03 on 2026-02-24 and updated on 2026-04-02. The provided data does not indicate CISA KEV inclusion.