Multiple Critical Vulnerabilities in Gardyn IoT Hub Allow Unauthenticated Control
CISA has issued an advisory detailing critical vulnerabilities in Gardyn IoT Hub devices, including CVE-2026-13768, which could allow unauthenticated attackers to execute arbitrary commands and pivot to other network devices.

CISA has issued a stern warning regarding multiple critical vulnerabilities discovered in Gardyn IoT Hub devices, affecting Home Firmware, Studio Firmware, and Cloud API versions prior to 2.12.2026. These flaws, if exploited, could grant unauthenticated attackers significant control over managed devices, posing a serious risk to users.
The most critical of these vulnerabilities, CVE-2026-13768, involves the exposure of a privileged iothubowner key. Access to this key allows a malicious actor to invoke an IoTHub Registry Manager function, which can then reveal connection information for all Gardyn Home Kit and Studio devices. Furthermore, this access enables the attacker to execute arbitrary commands on a specific connected device and potentially pivot to other devices on the user's network, leading to widespread compromise.
Another significant vulnerability, CVE-2026-55726, stems from an unauthenticated Azure Blob Storage container used for storing device logs. This public accessibility allows any attacker to view any device log file, potentially revealing sensitive system information that could aid in further exploitation. The CVSS score for this vulnerability is rated at 5.3 (MEDIUM).
A third vulnerability, CVE-2026-54477, affects the device's admin panel, which lacks essential security headers. This deficiency makes the panel susceptible to clickjacking and cross-site scripting (XSS) attacks, further compromising the security posture of the IoT Hub.
The combined impact of these vulnerabilities is rated as CRITICAL, with CVSS v3.1 scores reaching 10.0 and CVSS v4.0 scores reaching 9.5. Successful exploitation could lead to unauthorized access, control, and potential pivoting across a user's network, affecting critical infrastructure sectors such as Food and Agriculture, particularly in the United States where these devices are deployed.
Gardyn has stated that its IoT Hub deployed infrastructure has been updated to address these vulnerabilities. The company urges users to ensure their devices have a stable Internet connection to automatically download the necessary firmware updates. For devices that are not currently connected, updates will be applied automatically once an Internet connection is established. Gardyn also recommends updating the mobile application to the latest version for enhanced security.
Further details on Gardyn's security practices and updates can be found on their security page at https://mygardyn.com/security/. For direct customer support regarding these vulnerabilities, users can contact Gardyn at support@mygardyn.com.
CISA recommends that users take defensive measures to minimize the risk of exploitation. This includes minimizing network exposure for all control system devices and ensuring they are not accessible from the internet. Additionally, control system networks and remote devices should be located behind firewalls and isolated from business networks.