| Field | Value |
|---|---|
| CVE | CVE-2026-32646 |
| ICSA | ICSA-26-055-03 (Update A) |
| CVSS 3.1 | 7.5 (High) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Researcher | Michael Groberman — Gr0m |
| Published | 2026-04-02 (Update A) |
| Field | Value |
|---|---|
| Vendor | Gardyn |
| Product | Gardyn Home Kit 1.0, 2.0, 3.0, 4.0; Gardyn Studio 1.0, 2.0 |
| Component | Cloud API |
| Affected Versions | Cloud API < 2.12.2026 |
The /api/admin/devices administrative endpoint for device management is accessible without authentication. This endpoint exposes device enumeration, metadata retrieval, and device management functions intended for administrative use only.
The administrative device management endpoint is publicly accessible without any authentication or authorization controls:
GET [REDACTED — Cloud API host]/api/admin/devices
Authentication: NONE
The unauthenticated endpoint enables:
- Device enumeration -- list all registered devices in the fleet
- Device metadata -- serial numbers, firmware versions, online/offline status, last seen timestamps
- Device-to-user mapping -- which user owns which device
- Device management operations -- administrative CRUD operations on device records
This endpoint provides an alternative path to device enumeration that does not require the IoT Hub credential (CVE-2025-1242). While CVE-2025-1242 enables enumeration via the Azure IoT Hub registry, this endpoint enables enumeration via the Gardyn backend API -- two independent paths to the same data.
Combined with CVE-2026-25197 (IDOR), device IDs obtained from this endpoint can be used to pivot to user PII via the REST API.
- Complete device fleet enumeration without authentication (~138,160 registered devices)
- Device metadata exposure (serials, firmware versions, status) enables targeted attacks
- Device-to-user correlation enables privacy violations at scale
- Provides reconnaissance data for exploiting CVE-2025-1242 (IoT Hub credentials) and CVE-2025-29631 (command injection)
- Administrative function exposure may enable device manipulation
| Service | Purpose |
|---|---|
| Azure App Service Authentication (Easy Auth) | Built-in authentication middleware — a single toggle protects all endpoints |
| Azure App Service Access Restrictions | IP-based or VNet-based access rules to restrict who can reach specific endpoints |
| Azure RBAC | Role-based access control separating administrative and user operations |
Gardyn recommends upgrading to Cloud API version 2.12.2026 or later. See https://mygardyn.com/security/ for additional information.
Recommended mitigations for device owners:
- Isolate the Gardyn device on a dedicated VLAN or IoT network segment
Recommended fix for the vendor:
- Require administrative authentication on all
/api/admin/*endpoints - Implement role-based access control separating admin and user operations
- Place administrative endpoints behind a separate access-controlled path (not on the public API)
- Audit administrative endpoint access logs for unauthorized access
- Implement rate limiting on device listing endpoints
| Date | Event |
|---|---|
| 2025-10-14 | Initial disclosure to vendor |
| 2025-12-11 | Disclosure to CERT/CC |
| 2026-02-24 | ICSA-26-055-03 published (initial) |
| 2026-04-02 | ICSA-26-055-03 Update A -- CVE-2026-32646 added |
Reported by Michael Groberman — Gr0m to CISA.