85 matches found
EUVD-2026-41464
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary...
EUVD-2026-41465
The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container...
CVE-2026-13768
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary...
CVE-2026-55726
The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container...
CVE-2026-54477
CVE-2026-54477 affects the Gardyn IoT Hub admin panel, where the absence of standard security headers allows clickjacking and cross-site scripting. The available data show an impact with low confidentiality and integrity impact (CVSS scores: 5.1/4.0 base metrics, MEDIUM), but no explicit details ...
CVE-2026-54477 Gardyn IoT Hub Improper Neutralization of HTTP Headers for Scripting Syntax
The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks...
CVE-2026-55726 Gardyn IoT Hub Exposure of Sensitive System Information to an Unauthorized Control Sphere
The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container...
CVE-2026-55726
CVE-2026-55726 concerns Gardyn IoT Hub: the Azure Blob Storage container used for device logs is publicly listable without authentication, enabling access to any device log file in that container. The root cause is a misconfiguration of storage permissions, exposing logs to unauthenticated users....
CVE-2026-13768 Gardyn IoT Hub Use of Hard-coded Credentials
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary...
CVE-2026-13768
CVE-2026-13768 affects Gardyn Home Kit and Gardyn Studio. The root cause is exposure of a privileged iothubowner credential, which enables a malicious user to invoke IoTHub Registry Manager functions to obtain connection information for all Gardyn devices and to execute commands on a specific dev...
Exploit for CVE-2025-10681
CERT/CC VU653116 | CISA Advisory ICSA-26-055-03https:/...
CVE-2026-28766
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication...
EUVD-2026-18839
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication...
CVE-2026-28766
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication...
CVE-2025-10681
Gardyn CVE-2025-10681 affects the Gardyn mobile app and device firmware, which hardcode Azure Blob Storage account keys granting account‑level access to three storage accounts. Impact includes read access to ~115k camera images, read/write to OTA firmware storage (enabling supply chain risk), acc...
CVE-2025-10681 Gardyn Mobile Application and Device Firmware Use Hard-coded Credentials
Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers...
CVE-2026-25197
CVE-2026-25197 pertains to Gardyn Cloud API, where an endpoint allows an authenticated user to pivot to other user profiles by altering the id parameter in the API call. The underlying issue is an authorization bypass via a user-controlled key/id, enabling access to other profiles and potentially...
CVE-2026-25197 Gardyn Cloud API Authorization Bypass Through User-Controlled Key
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call...
CVE-2026-25197 Gardyn Cloud API Authorization Bypass Through User-Controlled Key
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call...
CVE-2026-28766 Gardyn Cloud API Missing Authentication for Critical Function
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication...