IoT Hub
by Mygardyn
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-13768 | cri | 0.65 | 10.0 | 0.01 | Jul 2, 2026 | Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to… | ||
| CVE-2025-1242 | Cri | 0.59 | 9.1 | 0.00 | Feb 25, 2026 | The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected… | ||
| CVE-2026-54477 | med | 0.35 | 5.4 | 0.00 | Jul 2, 2026 | The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks. | ||
| CVE-2026-55726 | med | 0.34 | 5.3 | 0.00 | Jul 2, 2026 | The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container. |
- risk 0.65cvss 10.0epss 0.01
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to…
- risk 0.59cvss 9.1epss 0.00
The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected…
- risk 0.35cvss 5.4epss 0.00
The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.
- risk 0.34cvss 5.3epss 0.00
The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container.