CVE-2026-54477

MEDIUM

Gardyn IoT Hub Improper Neutralization of HTTP Headers for Scripting Syntax

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-54477. PoCs published by MichaelAdamGroberman.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-54477, a missing security headers vulnerability in the Gardyn IoT Hub admin panel (admin.gardyn.io). The absence of CSP, X-Frame-Options, and other headers enables clickjacking and XSS attacks against authenticated admin sessions. No exploit code is included, but the writeup thoroughly documents the vulnerability mechanics and remediation.

Description

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.

Exploits (1)

nomisec WRITEUP
by MichaelAdamGroberman · poc
https://github.com/MichaelAdamGroberman/CVE-2026-54477

This repository provides a detailed technical analysis of CVE-2026-54477, a missing security headers vulnerability in the Gardyn IoT Hub admin panel (admin.gardyn.io). The absence of CSP, X-Frame-Options, and other headers enables clickjacking and XSS attacks against authenticated admin sessions. No exploit code is included, but the writeup thoroughly documents the vulnerability mechanics and remediation.

Classification
Writeup 99%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Gardyn Home Kit / Gardyn Studio (Admin panel: admin.gardyn.io, Netlify), Home Firmware < master.627, Studio Firmware < master.627, Cloud API < 2.12.2026
Auth required
Prerequisites: Authenticated admin session · User interaction (e.g., clickjacking requires victim to click on attacker-controlled interface)
mistral-large-3 · analyzed Jul 03, 2026 Full analysis →

Scores

CVSS v3 5.4
EPSS 0.0024
EPSS Percentile 14.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-644
Status published
Products (3)
Gardyn/Gardyn Cloud API < 2.12.2026
Gardyn/Gardyn Home Firmware < master.627
Gardyn/Gardyn Studio Firmware < master.627
Published Jul 03, 2026
Tracked Since Jul 03, 2026