CISA’s July 2 advisory on the Gardyn IoT Hub drops a CVSS 10 bomb: CVE-2026-13768 exposes a hardcoded iothubowner key that lets any unauthenticated attacker call the IoTHub Registry Manager, grab connection info for every Gardyn Home Kit and Studio device, and then execute arbitrary commands on any connected gadget. That’s not a theoretical pivot vector—it’s keys to the kingdom in plaintext.
The Credential That Shouldn’t Exist
Gardyn’s IoT Hub ships with a privileged iothubowner key baked into the firmware. Access to this key means an attacker can invoke an IoTHub Registry Manager function to retrieve connection information for all Gardyn Home Kit and Studio devices. From there, they can execute arbitrary commands on a specific device and pivot to other devices on the user’s network. The CVSS 3.1 vector string says it all: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L — network-accessible, no privileges, no user interaction, and a scope change that compromises confidentiality and integrity at high severity.
Blob Storage Left Wide Open
Second up, CVE-2026-55726: Gardyn’s Azure Blob Storage container for device logs is publicly listable without any authentication. Attackers can browse and download any device log file stored in the container. CVSS 3.1 score is a middling 5.3, but don’t sleep on it—device logs can leak sensor data, network metadata, and operational patterns in a food-and-agriculture context where uptime and safety matter. CWE-497 (Exposure of Sensitive System Information) nails the root cause.
Admin Panel Missing Basic Security Headers
Third, CVE-2026-54477: the Gardyn admin panel lacks standard security headers, opening the door to clickjacking and cross-site scripting. CVSS 3.1 base score 5.4, but combined with the other two bugs it’s a force multiplier. An attacker who can lure a Gardyn admin to a crafted page can hijack their session and leverage the existing credentials or logs access. CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax) covers the gap.
Gardyn states that IoT Hub deployed infrastructure has been updated to fix all three vulnerabilities. Users need to ensure their devices have internet connectivity to pull automatic firmware updates; unconnected devices will update once they get a working connection. Gardyn also pushes updating the mobile app to the latest version. Michael Groberman gets the hat tip for reporting these to CISA.
No public exploitation has been reported yet, but with a CVSS 10 credential leak, the window for bad actors to reverse-engineer the fixed firmware and target unpatched devices is real. If you’ve got a Gardyn Home or Studio setup, plug it in and verify the update fetched—this isn’t one to procrastinate on.
Source: Gardyn IoT Hub
Domain: cisa.gov
Comments load interactively on the live page.