Skip to content

MichaelAdamGroberman/CVE-2026-28767

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LEGAL_DISCLAIMER.md
LEGAL_DISCLAIMER.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2026-28767: Missing Authentication on Administrative Notifications Endpoint

Advisory

Field Value
CVE CVE-2026-28767
ICSA ICSA-26-055-03 (Update A)
CVSS 3.1 5.3 (Medium)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-306 (Missing Authentication for Critical Function)
Researcher Michael Groberman — Gr0m
Published 2026-04-02 (Update A)

Product

Field Value
Vendor Gardyn
Product Gardyn Home Kit 1.0, 2.0, 3.0, 4.0; Gardyn Studio 1.0, 2.0
Component Cloud API
Affected Versions Cloud API < 2.12.2026

Summary

The /api/admin/notifications administrative endpoint is accessible without authentication, exposing internal notification system data and administrative communications to unauthenticated users.

Vulnerability Details

Unauthenticated Access

The administrative notifications endpoint is publicly accessible without any authentication or authorization controls:

GET [REDACTED — Cloud API host]/api/admin/notifications
Authentication: NONE

Exposed Data

The unauthenticated endpoint provides access to:

  • Internal notification system data and message templates
  • Administrative communications and system alerts
  • Push notification configurations and delivery status
  • User notification preferences and targeting data

Systemic Pattern

This endpoint is part of a broader pattern of missing authentication on the Gardyn /api/admin/* path. Both /api/admin/devices (CVE-2026-32646) and /api/admin/notifications lack authentication, suggesting the entire administrative API namespace may have been deployed without access controls.

Impact

  • Information disclosure of internal administrative communications
  • Visibility into operational processes and system events
  • Notification template and targeting data exposure
  • Reconnaissance value for identifying system behavior, user engagement patterns, and administrative workflows
  • Potential for notification injection or modification if write operations are exposed

Standard Services Available for This Class of Endpoint

Service Purpose
Azure App Service Authentication (Easy Auth) Built-in authentication middleware — a single toggle protects all endpoints
Azure App Service Access Restrictions IP-based or VNet-based access rules to restrict who can reach specific endpoints

Remediation

Gardyn recommends upgrading to Cloud API version 2.12.2026 or later. See https://mygardyn.com/security/ for additional information.

Recommended fix for the vendor:

  1. Require administrative authentication on all /api/admin/* endpoints
  2. Implement role-based access control for administrative operations
  3. Audit all endpoints under the /api/admin/ path for missing authentication
  4. Place administrative endpoints behind a separate access-controlled path
  5. Audit access logs for unauthorized access to administrative endpoints

Timeline

Date Event
2025-10-14 Initial disclosure to vendor
2025-12-11 Disclosure to CERT/CC
2026-02-24 ICSA-26-055-03 published (initial)
2026-04-02 ICSA-26-055-03 Update A -- CVE-2026-28767 added

References

Credit

Reported by Michael Groberman — Gr0m to CISA.

About

CVE-2026-28767: Missing Authentication on Admin Notifications Endpoint — Gardyn Home Kit (ICSA-26-055-03)

www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Topics

cve iot-security security-research cwe-306 admin-api cisa vulnerability-disclosure coordinated-disclosure gardyn ics-advisory icsa-26-055-03 vu653116 missing-authentication cve-2026-28767

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors