Gardyn Development and Test API Endpoint Vulnerability

A vulnerability exists in the Gardyn Home Kit and Gardyn Studio ecosystems, where development and test API endpoints replicate production functionality. This issue could allow unauthenticated users to access and control edge devices, retrieve cloud-based device and user information, and pivot to other edge devices managed within the Gardyn cloud environment. The vulnerability affects the Gardyn Cloud API in versions prior to 2.12.2026.

Impact

Exploitation of this vulnerability could lead to unauthorized access and control over Gardyn edge devices, allowing manipulation of device functions such as lighting and watering. Additionally, it could enable access to personal information, including names, addresses, phone numbers, and email addresses, as well as plant photos.

Remediation

Users are advised to update their Gardyn Home Kit and Studio devices to the latest firmware version, master.622 or later. For the Gardyn mobile application, users should update to version 2.11.0 or later. Further information on Gardyn security can be found on the Gardyn security webpage, and customer support is available via email.