u/Present-Evening-1838

▲ 23 r/Gardyn

Follow-up to my February PSA: two federal updates landed July 2, 2026

Quick update for anyone who saw my earlier post about the CISA advisory covering our favorite device and the infrastructure it's connected to.

Two things happened on July 2, and one of them is worth understanding even though — same as last time — there's nothing you need to install.

What's new:

  1. A second advisory, ICSA-26-183-03, was published covering the Gardyn "IoT Hub" (the cloud service that manages the devices). It lists three new CVEs. The lead one, CVE-2026-13768, is rated CVSS 10.0 — the maximum the scale allows, higher than the 9.3 that was the top number in the original advisory.

  2. The original advisory (ICSA-26-055-03) was revised to "Update B." Those changes are administrative: the affected firmware version numbers were adjusted, and the "how to update" guidance now just says to run the most current version.

What the 10.0 actually means, in plain terms:

Remember the field list from my last post — the exposed records included "Azure IoT Hub administrative credentials." This new advisory is CISA formally scoring that credential. In plain language it's a single master key, and it doesn't unlock one device: it returns the connection details for the entire fleet of Gardyn Home and Studio devices, can be used to run commands on a connected device, and may be usable to reach other devices on the same home network. That fleet-wide scope is why it lands at 10.0.

One thing worth noting on the "it's fixed" question:

The original February advisory stated the device command-injection bug (the one that let someone run commands on a Home Kit) was fixed, and Update A in April repeated that. The advisory published the same day as Update B describes a different route to running commands on a device — and scores it at the maximum. Different entry point, same end result. I'll let people draw their own conclusions; I'm just noting what the federal record now shows side by side.

Per the vendor, the cloud infrastructure behind these new items has been updated, so — as before — there's nothing to install on your end if your app and device are current.

What I'd suggest (short version):

If you already did the "put smart devices on a separate guest/IoT WiFi network" step from my last post, that's the one that matters most here, since this is a device-control credential. If you didn't, it's the single highest-value thing to do — it keeps a misbehaving device from reaching your smart devices (Alexa Dot, Google Home, etc.) laptop, or phone. The rest of the hygiene from the earlier post still applies, and nothing new is required.

For the background on notifications and the "not a data breach" characterization, see my February post and the docs site below — nothing in these July updates changes that discussion.

Same standing as before: I'm a Gardyn customer, my own account was in the exposed records, and my own device is what I was working with. CISA credits me as the reporting researcher. No financial interest, and I'm not asking anyone to do anything but read the primary sources and decide for themselves.

New advisory (IoT Hub): https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-03

Original advisory (now Update B): https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Documentation site (primary-source, fact-only): https://gardyn-security-incident.info

reddit.com
u/Present-Evening-1838 — 2 days ago
▲ 49 r/Gardyn+1 crossposts

Hey r/Gardyn — fellow customer here. Posting this with the mods' go-ahead because I think the rest of the community deserves to know about something most of us haven't been told.

If you had a Gardyn account up until February 2026, this is for you.

CISA (the federal Cybersecurity and Infrastructure Security Agency) published an advisory in February 2026 documenting security issues in Gardyn cloud services and devices. It's been updated since then to cover 10 separate CVEs. The most significant finding is CVE-2026-28766, rated CVSS 9.3 (Critical).

Good news first: the patches are already in place. Gardyn pushed firmware, app, and cloud API updates automatically — there is nothing customers need to do on the technical side. If your device is connected and updating normally, you're patched.

The reason I'm posting isn't to tell you to update something. It's that as far as I can tell, none of us were ever told this happened.

What the federal advisory says was exposed

The advisory describes an unauthenticated cloud API endpoint that returned "all user account information" for approximately 134,215 customers. The endpoint required no login, no authentication, no special access — just a single web request from anywhere on the internet.

Per evidence I preserved during coordinated disclosure (full record at the links below), each of the 134,215 records returned by that endpoint included:

  • Full name
  • Email address
  • Phone number
  • Last four digits of payment card (for paying members)
  • Membership type and expiration
  • Internal user and device identifiers
  • Azure IoT Hub administrative credentials
  • Per-device IoT Hub connection strings
  • Timezone and account creation date

What customers were told

I'm not aware of any individual notification being sent to Gardyn customers about this. I've checked the public state attorney general breach-notification databases for California, Maine, Maryland, Texas, Vermont, and New Jersey, and as of today I have not found a Gardyn breach filing in any of them. Gardyn's customer-facing security update post characterizes the matter as "not a data breach."

Each customer can make their own judgment about whether the federal advisory's description of the exposure, plus the field list above, matches what they would consider a "data breach" worth being told about.

What I'd suggest, customer to customer

  1. Read the CISA advisory yourself: https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03
  2. Independent documentation site I maintain (fact-only, primary-source citations): https://gardyn-security-incident.info
  3. If you want a paper trail, every state has a "right to know" or "right to access" mechanism that lets you ask Gardyn in writing what data they hold about you. New Jersey, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia have specific statutory deadlines for vendors to respond.
  4. If you have specific concerns about exposure of your phone, email, or partial card number, the standard playbook is: enable two-factor on your email, monitor for phishing, watch your card statements.

About me: I'm a Gardyn customer like everyone else here. I bought a Gardyn, used it, ran into a security issue while poking around my own setup, and reported it. Reported it to Gardyn directly in October 2025, then to CERT/CC in December 2025 when the response timeline started getting long. CISA picked it up, validated it, and published the federal advisory in February 2026. They credit me as the reporting researcher in the advisory text — but the underlying reason any of this exists is that my own account was in the exposed records and my own device was the one I was working with.

I have no financial interest in this post and I'm not asking anyone to do anything other than read the federal advisory and decide for themselves.

Happy to answer technical questions in the comments. Thanks to Jayce for keeping the sub running and for greenlighting this post.

u/Present-Evening-1838 — 2 months ago