CVE-2026-32646

High

Published: 03 April 2026

Published

03 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0009 24.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32646 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mygardyn Cloud Api. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly identifies and restricts critical functions like the administrative endpoint that can be accessed without authentication, preventing unauthorized exposure of device management capabilities.

IA-9 Service Identification and Authentication good match

prevent

Mandates unique identification and authentication for system services, directly addressing the missing authentication on the vulnerable administrative endpoint.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations requiring authentication for logical access to sensitive device management functions exposed by the endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

Why these techniques?

Missing auth on public admin endpoint directly enables T1190 exploitation for unauthenticated network access; resulting read-only exposure of configs/user data facilitates T1005 local data access and T1082 system info discovery.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A specific administrative endpoint is accessible without proper authentication, exposing device management functions.

Deeper analysisAI

CVE-2026-32646 is a vulnerability where a specific administrative endpoint lacks proper authentication, exposing device management functions. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is mapped to CWE-306 (Missing Authentication for Critical Function). The affected software or components are covered in CISA's ICS Advisory ICSA-26-055-03, the corresponding CSAF document on GitHub, and the vendor security notice at mygardyn.com/security.

Remote attackers require only network access with no privileges, user interaction, or special conditions to exploit this issue. Successful exploitation grants high confidentiality impact by allowing unauthorized access to sensitive device management functions, potentially revealing configuration details, user data, or operational information without affecting integrity or availability.

Mitigation details are provided in the referenced advisories, including CISA's ICSA-26-055-03 at cisa.gov/news-events/ics-advisories/icsa-26-055-03, the CSAF JSON file at github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json, and the vendor advisory at mygardyn.com/security. Security practitioners should consult these sources for patching instructions, workarounds, and affected product versions.