CISA has published an ICS advisory detailing three vulnerabilities in Gardyn’s IoT Hub platform, used by smart home garden devices deployed across the United States. The most severe flaw carries a CVSS v3.1 score of 10.0 and allows unauthenticated remote attackers to take full control of managed devices. Affected versions include Gardyn Home Firmware and Studio Firmware prior to master.627, and Cloud API prior to 2.12.2026.

Hardcoded Credentials Allow Full Device Takeover

The most critical issue, tracked as CVE-2026-13768, stems from Gardyn devices exposing a privileged iothubowner key in their firmware. An attacker obtaining this key can invoke Azure IoTHub Registry Manager functions to retrieve connection details for all Gardyn Home Kit and Studio devices. Beyond reconnaissance, the key enables execution of arbitrary commands on any connected device and could facilitate lateral movement into the broader home network. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and scores 10.0 critical under CVSS v3.1.

Public Log Storage and Missing Security Headers

CVE-2026-55726 concerns the Azure Blob Storage container used for Gardyn device logs, which is publicly listable without any authentication. Any external party can enumerate and download log files for any device registered to the platform. This flaw is rated medium severity (CVSS v3.1 5.3).

CVE-2026-54477 affects the Gardyn admin panel, which lacks standard HTTP security headers. The absence of these controls enables clickjacking and cross-site scripting attacks against admin users. This issue is also rated medium (CVSS v3.1 5.4).

Fixes Deployed, User Action Required

Gardyn states that its cloud infrastructure has already been updated to address all three vulnerabilities. Users are directed to ensure their devices maintain an active internet connection so that firmware updates download automatically. Devices without connectivity will update once reconnected. Gardyn also recommends updating the Gardyn mobile application to the latest available version.

Security professionals managing environments that include consumer IoT devices should note that Gardyn Hub falls under the Food and Agriculture critical infrastructure sector, making patch verification worthwhile for any organization or facility using the platform. The vulnerabilities were reported to CISA by researcher Michael Groberman.

  • CVE-2026-13768: Hardcoded privileged credential, CVSS v3.1 10.0 Critical
  • CVE-2026-55726: Unauthenticated public Azure Blob log access, CVSS v3.1 5.3 Medium
  • CVE-2026-54477: Missing HTTP security headers enabling clickjacking and XSS, CVSS v3.1 5.4 Medium