User Profile Pivoting Vulnerability in Gardyn's API
CVE-2026-25197

9.3CRITICAL

Key Information:

Vendor: Gardyn
Status: Cloud Api
Vendor: CVE Published:; 3 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-25197?

A security flaw exists within the Gardyn API that permits authenticated users to access and modify data related to other user profiles. By manipulating the identifier in API calls, an attacker can gain unintended access to sensitive information, potentially leading to unauthorized data exposure and privacy risks.

Affected Version(s)

Cloud API 0 < 2.12.2026

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-25197
Created by MichaelAdamGroberman

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://mygardyn.com/security/

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 3, 2026
👾
Exploit known to exist
Apr 3, 2026
Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Michael Groberman reported these vulnerabilities to CISA.

CVE-2026-25197 Data

JSON