CVE-2026-25197

Critical

Published: 03 April 2026

Published

03 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 10.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25197 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Mygardyn Cloud Api. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for API access to user profiles, preventing authenticated users from pivoting to unauthorized profiles by validating the modified ID parameter against user permissions.

SI-10 Information Input Validation partial match

prevent

Validates the user ID input in API calls to restrict access to only authorized profiles, mitigating parameter tampering exploits.

AC-6 Least Privilege partial match

prevent

Implements least privilege to ensure authenticated users can only access their own profiles, reducing the impact of ID modification attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Authorization bypass (IDOR) in network-accessible API endpoint directly enables exploitation of public-facing applications (T1190) and unauthorized pivoting/access to other valid user accounts/profiles (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.

Deeper analysisAI

CVE-2026-25197 is an authorization bypass vulnerability (CWE-639) in a specific API endpoint that allows authenticated users to pivot to other user profiles by modifying the ID number in the API call. Published on 2026-04-03, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability affects a component covered under CISA ICS Advisory ICSA-26-055-03, with details referenced on the vendor's security page at mygardyn.com/security/.

An attacker with authenticated access to the API can exploit this issue over the network with low complexity and no user interaction by altering the user ID parameter in requests. This enables unauthorized access to other users' profiles, resulting in high confidentiality and integrity impacts, such as viewing or potentially modifying sensitive profile data. The CVSS PR:N vector suggests no privileges may be required in some contexts, though the description specifies authenticated users.

CISA's ICS Advisory ICSA-26-055-03, along with the vendor security notice at mygardyn.com/security/ and the corresponding CSAF JSON file, provide guidance on mitigations, including patches or workarounds for affected systems. Security practitioners should consult these resources for specific remediation steps.