CVE-2026-28766

Critical

Published: 03 April 2026

Published

03 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0009 24.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28766 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mygardyn Cloud Api. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly requires organizations to explicitly identify and limit user actions performable without identification or authentication, preventing exposure of all user account information via unauthenticated endpoints.

SC-14 Public Access Protections good match

prevent

Mandates verification of authorization prior to access on public interfaces, directly mitigating unauthenticated remote access to sensitive user account data.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and resources, addressing the failure to restrict endpoint access to authenticated users only.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1087.004 Cloud Account Discovery

Adversaries may attempt to get a listing of cloud accounts.

attack.mitre.org →

T1530 Data from Cloud Storage Collection

Adversaries may access data from cloud storage.

attack.mitre.org →

Why these techniques?

Missing authentication on public endpoint directly enables remote exploitation of the web app (T1190) and provides unauthenticated access to all cloud user accounts and identity data (T1087.004, T1530).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.

Deeper analysisAI

CVE-2026-28766 is a vulnerability in the Gardyn service where a specific endpoint exposes all user account information for registered Gardyn users without requiring authentication. This affects the Gardyn platform and is classified under CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). The vulnerability was published on 2026-04-03T21:17:10.387.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants access to all registered user account information, enabling high confidentiality impact through data exposure and low integrity impact, all within the vulnerable component's scope.

Advisories providing details on mitigations include CISA ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03, the Gardyn security page at https://mygardyn.com/security/, and the related CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json.