- Product: Gardyn Home Firmware
- Vulnerabilities: 3 flaws (CVE-2026-13768, CVE-2026-55726, CVE-2026-54477)
- Highest severity: 10.0 (Critical · CVSSv3)
- Worst impact: IoT Hub Use of Hard-coded Credentials
- Status: No confirmed exploitation yet; patches available
- Action: Update to master.627, 2.12.2026 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-13768 | 10.0 | IoT Hub Use of Hard-coded Credentials | master.627, 2.12.2026 | Not exploited |
| CVE-2026-54477 | 5.4 | IoT Hub Improper Neutralization of HTTP Headers for Scripting Syntax | master.627, 2.12.2026 | Not exploited |
| CVE-2026-55726 | 5.3 | IoT Hub Exposure of Sensitive System Information to an Unauthorized Control Sphere | master.627, 2.12.2026 | Not exploited |
TL;DR
CISA published an advisory for three flaws in the Gardyn IoT Hub, the controller for Gardyn’s indoor smart gardens. The worst, CVE-2026-13768, earns a maximum CVSS score of 10 and allows unauthenticated remote code execution. Gardyn has already patched its cloud infrastructure, and devices update over the internet.
Why It Matters
Gardyn sells app-controlled hydroponic gardens for the home. A related CISA advisory counted more than 138,000 registered devices across the product line. So one exposed key puts a large fleet at risk. Because the flaw needs no login, an attacker could reach devices straight from the internet. One key would then unlock the whole managed fleet at once. CISA files these bugs under Food and Agriculture, a critical infrastructure sector. To date, CISA reports no known exploitation in the wild.
How the Attack Works
The Gardyn IoT Hub exposes a privileged iothubowner key. With that key, an attacker can call an Azure IoT Hub Registry Manager function. The call returns connection details for every Gardyn Home Kit and Studio device. From there, the attacker can run arbitrary commands on a chosen device. Worse, they can pivot to other devices on the victim’s home network. The CISA advisory ICSA-26-183-03 traces the root cause to hard-coded credentials, or CWE-798.
Two lesser bugs
CVE-2026-55726 (CVSS 5.3) leaves a device-log storage container publicly listable. CVE-2026-54477 (CVSS 5.4) drops security headers on the admin panel, which invites clickjacking and cross-site scripting.
Affected Versions
The flaws affect Gardyn Home and Studio firmware before master.627, plus Cloud API before 2.12.2026. Michael Groberman reported the issues to CISA.
Patch and Mitigation
Gardyn says its deployed infrastructure now blocks these flaws. Keep each Gardyn IoT Hub online so firmware updates arrive automatically. Also update the Gardyn mobile app to the latest version. Beyond that, CISA urges owners to keep control devices off the public internet and behind a firewall. For details and contacts, see the Gardyn security page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.