Skip to content

MichaelAdamGroberman/CVE-2026-32662

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LEGAL_DISCLAIMER.md
LEGAL_DISCLAIMER.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository

CVE-2026-32662: Active Debug Code in Production

Advisory

Field Value
CVE CVE-2026-32662
ICSA ICSA-26-055-03 (Update A)
CVSS 3.1 5.3 (Medium)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-489 (Active Debug Code)
Researcher Michael Groberman — Gr0m
Published 2026-04-02 (Update A)

Product

Field Value
Vendor Gardyn
Product Gardyn Home Kit 1.0, 2.0, 3.0, 4.0; Gardyn Studio 1.0, 2.0
Component Cloud API
Affected Versions Cloud API < 2.12.2026

Summary

Development and test API endpoints are present in the production environment that mirror production functionality. These endpoints historically provided access to production credentials with reduced or absent authentication controls. Additionally, development credentials and configuration are embedded in production mobile application and admin panel builds.

Vulnerability Details

Development API Endpoints

Multiple development and test API endpoints were discovered that parallel production infrastructure:

Endpoint Purpose Status
[REDACTED — Dev API host #1] Development API 403 Forbidden (blocked)
[REDACTED — Dev API host #2] Development API Unknown

Historical Credential Leakage

The development API historically accepted the same provisioning requests as production and returned full production credentials including the IoT Hub iothubowner credential (CVE-2025-1242) — without authentication.

The development environment was configured with production credentials, meaning a compromise of the less-secured development environment granted full access to the production IoT Hub fleet.

Development Credentials in Production Builds

Development environment credentials and configuration were found embedded in production application artifacts:

Mobile application (index.android.bundle):

  • Development API hostnames and endpoints
  • Firebase development project credentials
  • Test/staging environment connection strings

Admin panel JavaScript bundle (admin.gardyn.io):

  • Development API endpoint leaked in production bundle ([REDACTED — Dev API host])
  • Development environment credentials
  • Debug configuration parameters
  • Internal Azure resource identifiers

Production API Endpoint Enumeration

Analysis of the production bundles and Firebase Remote Config revealed the full production API surface:

Endpoint Purpose
[REDACTED — Production host] Main production API
[REDACTED — Legacy host] Legacy API
[REDACTED — Orders host] Order processing
[REDACTED — Kelby service host] AI assistant service layer
[REDACTED — Data API host] Data API

Current Status

Development endpoints now return 403 Forbidden responses, indicating they have been blocked but the infrastructure remains deployed. Development credentials remain embedded in published mobile application builds.

Impact

  • Historical credential leakage via development endpoints (production iothubowner key was accessible)
  • Development credentials in production builds enable environment discovery and targeted reconnaissance
  • Parallel development environments with production credentials create alternate attack paths
  • Internal API surface enumeration aids exploitation of other vulnerabilities
  • Risk of future re-exposure if access controls on development endpoints are relaxed

Standard Services Available for This Class of Endpoint

Azure provides built-in environment separation and deployment controls that prevent development code from reaching production:

Service Purpose
Azure App Service Deployment Slots Separate staging/development environments with independent configurations — swap to production only when validated
Azure App Service Environment Variables Per-slot configuration settings that prevent production credentials from appearing in non-production environments
GitHub Actions / Azure DevOps Environment Gates CI/CD pipeline checks that validate no debug artifacts or development credentials are present before deployment

Remediation

Gardyn recommends upgrading to Cloud API version 2.12.2026 or later. See https://mygardyn.com/security/ for additional information.

Recommended fix for the vendor:

  1. Decommission publicly-routable development endpoints entirely
  2. Implement network segmentation isolating non-production environments from the internet
  3. Never use production credentials in development environments
  4. Remove development hostnames, credentials, and debug configuration from production application builds
  5. Strip debug symbols, build paths, and environment metadata from production bundles
  6. Implement a build pipeline that validates no development artifacts are present in release builds
  7. Conduct regular audits of exposed Azure Web App endpoints

Timeline

Date Event
2025-10-14 Initial disclosure to vendor (researcher + consumer action — dual-capacity; the researcher disclosed as an affected Gardyn customer in addition to acting as the discovering researcher; see VU653116 standing note)
2025-12-11 Disclosure to CERT/CC (researcher + consumer action — dual-capacity; 58 days after initial vendor disclosure)
2026-02-24 ICSA-26-055-03 published (initial)
2026-04-02 ICSA-26-055-03 Update A -- CVE-2026-32662 added

References

Credit

Reported by Michael Groberman — Gr0m to CISA.

About

CVE-2026-32662: Active Debug Code in Production — Gardyn Home Kit (ICSA-26-055-03)

www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Topics

cve iot-security security-research cisa vulnerability-disclosure coordinated-disclosure gardyn ics-advisory icsa-26-055-03 vu653116 cve-2026-32662 debug-code cwe-489 development-endpoints

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors