CVE-2026-13768
Gardyn IoT Hub Use of Hard-coded Credentials
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary commands on a specific connected device and may allow the malicious user to pivot to other devices on the user's network.
| CWE | CWE-798 |
| Vendor | gardyn |
| Product | gardyn home firmware |
| Published | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for gardyn gardyn home firmware
Be the first to know when new critical vulnerabilities affecting gardyn gardyn home firmware are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
Gardyn / Gardyn Home Firmware
0 < master.627
Gardyn / Gardyn Studio Firmware
0 < master.627
Gardyn / Gardyn Cloud API
0 < 2.12.2026
References
Credits
Michael Groberman reported this vulnerability to CISA.