CVE-2026-28766: Gardyn Smart Garden Platform Leaks All User Accounts Unauthenticated
A critical security vulnerability tracked as CVE-2026-28766 (CVSS 9.3) has been disclosed affecting the Gardyn smart indoor garden platform. The flaw exposes all registered user account information via a specific API endpoint that requires no authentication to access — meaning any internet-connected attacker can retrieve the full user database without providing credentials.
Gardyn is an IoT-connected smart garden device marketed to consumers for automated hydroponic indoor gardening. The platform collects user personal data to support device management, notifications, and e-commerce features.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-28766 |
| CVSS Score | 9.3 (Critical) |
| CWE Classification | CWE-306 — Missing Authentication for Critical Function |
| Affected Platform | Gardyn Smart Garden IoT Platform |
| Attack Vector | Network — no authentication required |
| Privileges Required | None |
| User Interaction | None |
| Data Exposed | All registered Gardyn user account information |
| Patch Status | To be confirmed |
Technical Background
The Gardyn platform backend exposes a specific API endpoint that returns complete user account records for all registered users. This endpoint was likely intended for internal administrative use or device provisioning, but was deployed without authentication controls in production.
An unauthenticated attacker who discovers or guesses this endpoint can retrieve:
- Full names of registered users
- Email addresses
- Physical mailing addresses (for device shipping and support)
- Account credentials or authentication tokens (if stored in the user record)
- Device registration data (which Gardyn devices are registered to which accounts)
- Order history and payment metadata
Because no authentication is required, exploitation does not require a Gardyn account or any form of credential — only network access to the Gardyn API servers.
Attack Flow
1. Attacker discovers or enumerates the unauthenticated Gardyn API endpoint
(via API documentation, app traffic analysis, or directory enumeration)
2. Attacker sends a GET request to the endpoint without any credentials:
GET https://api.gardyn.io/[endpoint] HTTP/1.1
3. API server returns complete user account data for all registered users
4. Attacker harvests PII: names, emails, addresses, device info
5. Harvested data used for:
- Targeted phishing campaigns
- Physical address-based attacks
- Identity theft
- Account credential reuse attacks
- Data broker resaleIoT Platform Security Context
IoT consumer devices present a unique and often underappreciated attack surface. Unlike traditional software applications, IoT platforms:
- Collect rich physical-world data including home addresses for device delivery and location-aware features
- Are managed by cloud APIs that control both account data and device functionality
- Often ship with minimal security review as they are built to market quickly
- Serve non-technical consumers who are unlikely to detect a breach or receive meaningful notification
The Gardyn vulnerability is part of a recurring pattern of IoT platform API security failures where device management APIs are deployed without proper authentication enforcement.
Impact Assessment
| Impact Area | Description |
|---|---|
| PII Exposure | Full names, email addresses, and physical mailing addresses at risk |
| Privacy Violation | Exposes home or delivery addresses of all registered users |
| Phishing Risk | Enables highly targeted phishing using full name and verified email |
| Account Takeover | If tokens or credentials are exposed, direct takeover possible |
| GDPR/CCPA Risk | Significant regulatory exposure for Gardyn as a data controller |
| Physical Security | Home address exposure creates risk of physical targeting in extreme cases |
Remediation
For Gardyn (Platform Owner)
- Immediately restrict the exposed endpoint: Require valid authentication tokens for all API endpoints that return user data
- Audit all API endpoints: Review every endpoint in the Gardyn API surface for missing authentication requirements
- Rotate any exposed credentials: If the endpoint exposed authentication tokens, force-rotate all affected credentials
- Notify affected users: Disclose the vulnerability and its scope to all registered Gardyn users per applicable breach notification laws (GDPR 72-hour window, applicable US state laws)
- Implement API gateway controls: Enforce authentication at the API gateway layer as a defense-in-depth control
For Affected Users
If you are a registered Gardyn user:
- Change your Gardyn password immediately
- Enable multi-factor authentication if available on the Gardyn platform
- Monitor your email for phishing attempts using your registered Gardyn email address
- Be aware of your exposed physical address and watch for unexpected physical mail or unusual activity
- Check Have I Been Pwned (haveibeenpwned.com) for your email address
Detection
Gardyn's engineering team can identify potential exploitation by reviewing API access logs:
# Identify requests to the unauthenticated endpoint that lack auth headers
grep "GET /[vulnerable-endpoint]" api-access.log | \
grep -v "Authorization:" | \
awk '{print $1}' | sort | uniq -c | sort -rn
# Flag high-volume requests from single IPs (enumeration)
# Flag requests from IPs with no other platform activity (external scraping)Implementing mandatory authentication middleware on all endpoints and alerting on access to data-returning endpoints without valid session tokens will prevent future occurrences.
Key Takeaways
- CVE-2026-28766 is a CVSS 9.3 Critical vulnerability in the Gardyn IoT platform exposing all user account data without authentication
- Zero barrier to exploitation — no account, credentials, or special tools required
- Consumer IoT platforms routinely ship with misconfigured API authentication — this is a systemic industry problem
- PII at risk: names, email addresses, and physical addresses of all registered Gardyn users
- Regulatory exposure: Gardyn faces potential GDPR and CCPA breach notification obligations
- Gardyn users should change passwords immediately and monitor for phishing