CVE-2026-32662 Gardyn CVE debrief

Who should care

Gardyn customers and operators managing Home Kit or Studio devices, the Gardyn mobile application, and Gardyn Cloud API integrations—especially anyone exposing these services beyond an expected trusted network.

Technical summary

The advisory states that development and test API endpoints are present and mirror production functionality. Affected versions listed in the source include Gardyn Home Firmware prior to master.619, Gardyn Studio Firmware, Gardyn Mobile Application prior to 2.11.0, and Gardyn Cloud API prior to 2.12.2026. CISA’s source uses CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a network-reachable issue with limited confidentiality impact.

Defensive priority

Medium. Prioritize remediation for any Gardyn deployments that are internet-reachable or that rely on the affected mobile app and cloud API, then verify versions and update paths.

Recommended defensive actions

• Update Gardyn Home and Studio devices to firmware master.622 or later, as recommended by Gardyn.
• Update the Gardyn mobile application to the most recent supported version.
• Check the current Gardyn App and Home firmware versions inside the app.
• Ensure devices have network connectivity so required firmware updates can download automatically.
• If devices are offline, connect them to a working Internet connection and confirm the update completes.
• Use the CISA advisory and Gardyn security guidance to verify the current affected-version scope before and after remediation.

Evidence notes

Source: CISA CSAF advisory ICSA-26-055-03 (published 2026-02-24, updated 2026-04-02). The source text for CVE-2026-32662 says: "Development and test API endpoints are present that mirror production functionality." The advisory’s revision history shows Update A added CVE-2026-32662 and updated mitigations and affected products. The source also provides CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3 Medium).

Official resources