Unauthorized Access Vulnerability in Gardyn's Device Management Interface
CVE-2026-32646

8.7HIGH

Key Information:

Vendor: Gardyn
Status: Cloud Api
Vendor: CVE Published:; 3 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-32646?

An unauthorized access vulnerability exists in Gardyn's Smart Garden System, allowing attackers to access a specific administrative endpoint without proper authentication. This exposure could enable malicious actors to manipulate device management functions, posing a security risk to users' systems. Organizations using affected versions should implement immediate measures to secure their interfaces and protect against potential exploitation.

Affected Version(s)

Cloud API 0 < 2.12.2026

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-32646
Created by MichaelAdamGroberman

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://mygardyn.com/security/

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 3, 2026
👾
Exploit known to exist
Apr 3, 2026
Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Michael Groberman reported these vulnerabilities to CISA.

CVE-2026-32646 Data

JSON