CVE Catalog

CVE-2026-13768

CriticalCVSS 10.0
Published: Translated: NVD NIST

Summary

Gardyn devices expose a privileged iothubowner key. Access to this key allows an attacker to invoke an IoTHub Registry Manager function that returns connection information for all Gardyn Home Kit and Studio devices. It also enables arbitrary command execution on a specific connected device and may allow pivoting to other devices on the user's network.

Risk Assessment

The risk includes unauthorized access to sensitive configuration data of all Gardyn devices, remote code execution on a targeted device, and potential lateral movement to other devices on the local network, leading to privacy breaches and system compromise.

Recommendation

Immediately update the Gardyn device firmware to the latest version that addresses this vulnerability. Additionally, restrict access to the iothubowner key and monitor the network for suspicious activity.

Original NVD description (English source)

Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary commands on a specific connected device and may allow the malicious user to pivot to other devices on the user's network.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS