Authentication Bypass Vulnerability in Gardyn Products
CVE-2026-28766

9.2CRITICAL

Key Information:

Vendor: Gardyn
Status: Cloud Api
Vendor: CVE Published:; 3 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-28766?

A security flaw in Gardyn products allows unauthenticated access to sensitive endpoint information, exposing all user account data for registered users. This vulnerability presents a significant risk, as it enables potential attackers to retrieve personal information without the need for authentication, compromising user privacy and security.

Affected Version(s)

Cloud API 0 < 2.12.2026

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-28766
Created by MichaelAdamGroberman

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://mygardyn.com/security/

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 3, 2026
👾
Exploit known to exist
Apr 3, 2026
Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Michael Groberman reported these vulnerabilities to CISA.

CVE-2026-28766 Data

JSON