Cyber Resilience

CVE-2026-28766

Critical

Published: 03 April 2026

Published
03 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28766 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mygardyn Cloud Api. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-28766 is a vulnerability in the Gardyn service where a specific endpoint exposes all user account information for registered Gardyn users without requiring authentication. This affects the Gardyn platform and is classified under CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). The vulnerability was published on 2026-04-03T21:17:10.387.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants access to all registered user account information, enabling high confidentiality impact through data exposure and low integrity impact, all within the vulnerable component's scope.

Advisories providing details on mitigations include CISA ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03, the Gardyn security page at https://mygardyn.com/security/, and the related CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087.004 Cloud Account Discovery
Adversaries may attempt to get a listing of cloud accounts.
T1530 Data from Cloud Storage Collection
Adversaries may access data from cloud storage.
Why these techniques?

Missing authentication on public endpoint directly enables remote exploitation of the web app (T1190) and provides unauthenticated access to all cloud user accounts and identity data (T1087.004, T1530).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32646Same product: Mygardyn Cloud Api
CVE-2026-25197Same product: Mygardyn Cloud Api
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306

Affected Assets

mygardyn
cloud api
≤ 2.12.2026

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to explicitly identify and limit user actions performable without identification or authentication, preventing exposure of all user account information via unauthenticated endpoints.

prevent

Mandates verification of authorization prior to access on public interfaces, directly mitigating unauthenticated remote access to sensitive user account data.

prevent

Enforces approved authorizations for logical access to information and resources, addressing the failure to restrict endpoint access to authenticated users only.

References