CVE-2026-28766
Unauthorized Data Exposure in Gardyn User Account Endpoint
Publication date: 2026-04-03
Last updated on: 2026-04-22
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mygardyn | cloud_api | to 2.12.2026 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes all user account information for registered Gardyn users without requiring authentication, which could lead to unauthorized access to personal data.
Such unauthorized exposure of user data may result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.
Can you explain this vulnerability to me?
This vulnerability involves a specific endpoint in the Gardyn system that exposes all user account information for registered users without requiring any authentication.
How can this vulnerability impact me? :
Because the endpoint exposes all user account information without authentication, an attacker could access sensitive personal data of all registered users. This could lead to privacy breaches, identity theft, and unauthorized use of user information.