Scan free
CRITICALCVE-2026-28766CVSS 9.3

CVE-2026-28766: Information Disclosure in Gardyn Cloud API

Platform

other

Component

gardyn

Fixed in

2.12.2026

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-28766 describes a critical information disclosure vulnerability affecting the Gardyn Cloud API. This flaw allows an attacker to retrieve all user account information without authentication, potentially exposing sensitive data like usernames, email addresses, and other profile details. The vulnerability impacts versions 0.0.0 through 2.12.2026 of the API, and a fix is available in version 2.12.2026.

Impact and Attack Scenarios

The impact of CVE-2026-28766 is significant due to the ease of exploitation and the sensitivity of the exposed data. An attacker can simply access a specific endpoint within the Gardyn Cloud API to retrieve a complete list of user accounts and their associated information. This data can be used for identity theft, phishing attacks, or account takeover. The lack of authentication required for this access dramatically lowers the barrier to entry for malicious actors, increasing the risk of widespread compromise. The potential blast radius extends to all Gardyn users, as their personal information is at risk.

Exploitation Context

CVE-2026-28766 was publicly disclosed on April 3, 2026. There is currently no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept code is not yet available, but the ease of exploitation suggests it is likely to emerge. The vulnerability's severity and the sensitivity of the exposed data make it a high-priority concern.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.08% (24% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentgardyn
VendorGardyn
Affected rangeFixed in
0.0.0 – 2.12.20262.12.2026

Weakness Classification (CWE)

CWE-306

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-28766 is to immediately upgrade the Gardyn Cloud API to version 2.12.2026 or later. If upgrading is not immediately feasible, consider implementing temporary measures such as restricting access to the vulnerable endpoint through a Web Application Firewall (WAF) or proxy server. Configure the WAF to block any requests to the exposed endpoint that lack proper authentication. Monitor API logs for unusual activity, specifically looking for unauthorized access attempts to the endpoint. After upgrading, confirm the fix by attempting to access the endpoint without authentication; it should now return an authentication error.

How to fix

Update the Gardyn Cloud API to version 2.12.2026 or later to implement the necessary authentication on the vulnerable endpoint. This will prevent the unauthorized exposure of user account information.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-28766 — Information Disclosure in Gardyn Cloud API?

CVE-2026-28766 is a critical vulnerability in the Gardyn Cloud API where unauthenticated access exposes all user account information. It has a CVSS score of 9.3 and affects versions 0.0.0–2.12.2026.

Am I affected by CVE-2026-28766 in Gardyn Cloud API?

If you are a Gardyn user and are running the Gardyn Cloud API version 0.0.0 through 2.12.2026, you are potentially affected by this vulnerability.

How do I fix CVE-2026-28766 in Gardyn Cloud API?

Upgrade the Gardyn Cloud API to version 2.12.2026 or later to resolve the vulnerability. As a temporary measure, restrict access to the vulnerable endpoint using a WAF.

Is CVE-2026-28766 being actively exploited?

There is currently no confirmed evidence of active exploitation, but the ease of exploitation suggests it is a potential risk.

Where can I find the official Gardyn advisory for CVE-2026-28766?

Please refer to the official Gardyn security advisory for detailed information and updates regarding CVE-2026-28766.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs