Skip to content

MichaelAdamGroberman/CVE-2026-25197

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LEGAL_DISCLAIMER.md
LEGAL_DISCLAIMER.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository

CVE-2026-25197: Authorization Bypass via User-Controlled Key (IDOR)

Advisory

Field Value
CVE CVE-2026-25197
ICSA ICSA-26-055-03 (Update A)
CVSS 3.1 9.1 (Critical)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE CWE-639 (Authorization Bypass Through User-Controlled Key)
Researcher Michael Groberman — Gr0m
Published 2026-04-02 (Update A)

Product

Field Value
Vendor Gardyn
Product Gardyn Home Kit 1.0, 2.0, 3.0, 4.0; Gardyn Studio 1.0, 2.0
Component Cloud API
Affected Versions Cloud API < 2.12.2026

Summary

Two REST API endpoints return user data without per-user authorization checks:

  • /api/users returns the full user list. No authentication is required.
  • /api/user/{id} returns the profile of the user identified by {id}. No verification is performed that the requesting party is authorized to access that user's record.

User identifiers are sequential integers, allowing enumeration of all 134,215+ user accounts and their associated devices via the /api/user/{id} endpoint.

Vulnerability Details

Unauthenticated User Listing

The /api/users endpoint accepts unauthenticated requests and returns the complete user list. No authentication, rate limiting, or access logging is performed on this endpoint.

GET [REDACTED — Cloud API host]/api/users
Authentication: NONE

User Profile Endpoint — IDOR

The /api/user/{id} endpoint accepts a user ID as a path parameter and returns the corresponding user's profile. The endpoint performs no authorization check to verify that the requesting party is associated with the requested user. User IDs are sequential integers.

GET [REDACTED — Cloud API host]/api/user/{user_id}

Data exposed per user:

Field Description
Name Full name
Email Email address
Address Physical address
Devices Associated device IDs and serials
Settings Account configuration

Predictable Camera Image URLs

Camera image URLs follow a predictable pattern incorporating the sequential user ID, device ID, and timestamp. Once user and device IDs are obtained via the IDOR, an attacker can construct valid URLs to access any user's camera images without additional authentication. The Gardyn camera captures still images only — no audio streams are recorded or exposed.

Impact

  • PII exposure for 134,215+ users via sequential enumeration
  • Access to home interior camera images from approximately 115,000 Gardyn cameras
  • Complete user-to-device mapping enabling targeted attacks
  • Two independent vectors: /api/users (no auth, full user list) and /api/user/{id} (sequential IDOR, any user's data)
  • Privacy violation at scale -- names, emails, physical addresses, device data, camera images

Azure Services Available for This Class of Endpoint

Service Purpose
Azure AD B2C Token-based identity with per-user scoped claims
UUID/GUID Identifiers Non-enumerable identifiers
Authorization Middleware Per-request authorization verification

Remediation

Gardyn recommends upgrading to Cloud API version 2.12.2026 or later. See https://mygardyn.com/security/ for additional information.

Recommended mitigations for device owners:

  • Isolate the Gardyn device on a dedicated VLAN or IoT network segment
  • Consider whether the built-in camera captures sensitive areas of your home

Recommended fix for the vendor:

  1. Implement proper authorization checks on all user and device data endpoints
  2. Replace sequential integer IDs with non-enumerable identifiers (UUIDs)
  3. Validate that the authenticated user owns the requested resource before returning data
  4. Rotate API credentials and remove from Firebase Remote Config
  5. Implement rate limiting on user/device lookup endpoints
  6. Audit access logs for enumeration patterns

Timeline

Date Event
2025-10-14 Initial disclosure to vendor (researcher + consumer action — dual-capacity; the researcher disclosed as an affected Gardyn customer in addition to acting as the discovering researcher; see VU653116 standing note)
2025-12-11 Disclosure to CERT/CC (researcher + consumer action — dual-capacity; 58 days after initial vendor disclosure)
2026-02-24 ICSA-26-055-03 published (initial)
2026-04-02 ICSA-26-055-03 Update A -- CVE-2026-25197, CVE-2026-28766, CVE-2026-32646, CVE-2026-28767, CVE-2026-32662 added

References

Credit

Reported by Michael Groberman — Gr0m to CISA.

About

CVE-2026-25197: Authorization Bypass via IDOR — Gardyn Home Kit (ICSA-26-055-03)

www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Topics

cve iot-security security-research cisa idor vulnerability-disclosure authorization-bypass coordinated-disclosure gardyn ics-advisory icsa-26-055-03 vu653116 cve-2026-25197 cwe-639

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors