CVE-2026-25197
CRITICALGardyn Cloud API Authorization Bypass Through User-Controlled Key
Title source: cnaDescription
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.
Exploits (1)
nomisec
WRITEUP
1 stars
by MichaelAdamGroberman · poc
https://github.com/MichaelAdamGroberman/CVE-2026-25197
Scores
CVSS v3
9.1
EPSS
0.0003
EPSS Percentile
8.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-639
Status
published
Products (2)
Gardyn/Cloud API
< 2.12.2026
mygardyn/cloud_api
< 2.12.2026
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026