Cyber Resilience

CVE-2026-25197

Critical

Published: 03 April 2026

Published
03 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 21.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25197 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Mygardyn Cloud Api. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25197 is an authorization bypass vulnerability (CWE-639) in a specific API endpoint that allows authenticated users to pivot to other user profiles by modifying the ID number in the API call. Published on 2026-04-03, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability affects a component covered under CISA ICS Advisory ICSA-26-055-03, with details referenced on the vendor's security page at mygardyn.com/security/.

An attacker with authenticated access to the API can exploit this issue over the network with low complexity and no user interaction by altering the user ID parameter in requests. This enables unauthorized access to other users' profiles, resulting in high confidentiality and integrity impacts, such as viewing or potentially modifying sensitive profile data. The CVSS PR:N vector suggests no privileges may be required in some contexts, though the description specifies authenticated users.

CISA's ICS Advisory ICSA-26-055-03, along with the vendor security notice at mygardyn.com/security/ and the corresponding CSAF JSON file, provide guidance on mitigations, including patches or workarounds for affected systems. Security practitioners should consult these resources for specific remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authorization bypass (IDOR) in network-accessible API endpoint directly enables exploitation of public-facing applications (T1190) and unauthorized pivoting/access to other valid user accounts/profiles (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28766Same product: Mygardyn Cloud Api
CVE-2026-32646Same product: Mygardyn Cloud Api
CVE-2026-8890Shared CWE-639
CVE-2026-44400Shared CWE-639
CVE-2025-14998Shared CWE-639
CVE-2024-11284Shared CWE-639
CVE-2026-4208Shared CWE-639
CVE-2024-11285Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639

Affected Assets

mygardyn
cloud api
≤ 2.12.2026

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for API access to user profiles, preventing authenticated users from pivoting to unauthorized profiles by validating the modified ID parameter against user permissions.

prevent

Validates the user ID input in API calls to restrict access to only authorized profiles, mitigating parameter tampering exploits.

prevent

Implements least privilege to ensure authenticated users can only access their own profiles, reducing the impact of ID modification attempts.

References