All incidents

Critical flaw in Gardyn IoT Hub lets attackers run code remotely

vulnerabilityopenJul 2, 2026 — Jul 10, 2026
Critical flaw in Gardyn IoT Hub lets attackers run code remotely

RESEARCHERS have uncovered a critical flaw in the Gardyn IoT Hub that permits attackers to execute arbitrary code on the smart‑gardening system without authentication, as detailed in a recent security advisory published by securityonline.info. The vulnerability stems from hard‑coded credentials embedded in the hub’s firmware, allowing unauthenticated remote command execution.

The primary issue is tracked as CVE-2026-13768 and carries a CVSS score of 10.0, reflecting its potential to compromise the device fully. Two additional flaws were identified: CVE-2026-55726, rated 6.9, which could leak sensitive configuration data, and CVE-2026-54477, rated 5.4, involving insufficient security headers that may aid further attacks.

Affected releases include Gardyn Home Firmware, Studio Firmware and the Cloud API prior to version 2.12.2026, as well as the master.627 build. Exploitation involves sending specially crafted requests to the hub’s exposed service ports, bypassing any authentication checks and granting the attacker shell‑level access.

The CISA advisory ICSA-26-183-03, released on 2 July 2026, confirms the risk and notes that more than 138 000 Gardyn devices are currently registered worldwide. To date there is no public evidence of active exploitation, and no specific threat actors have been linked to the vulnerabilities.

Defenders should immediately apply the patches released by Gardyn, updating to firmware version master.627 or the Cloud API release 2.12.2026. Ensuring that each hub maintains outbound internet connectivity will allow it to receive these updates automatically, and users are advised to install the latest version of the Gardyn mobile app.

Additional precautions include placing the hub behind a firewall or on a segregated network segment to limit exposure to the internet, reviewing system logs for unexpected command executions, and consulting the CISA advisory for further mitigation guidance such as disabling unnecessary services and changing any default credentials where possible.

Intelligence briefing updated Jul 10, 2026

CVE-2026-13768 10.0 CVE-2026-55726 6.9 CVE-2026-54477 5.4
Root sourcemygardyn.com
Timeline Coverage

Swipe to explore timeline