CVE-2026-55726

MEDIUM

Gardyn IoT Hub Exposure of Sensitive System Information to an Unauthorized Control Sphere

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-55726. PoCs published by MichaelAdamGroberman.

AI-analyzed exploit summary This repository provides a detailed technical writeup of CVE-2026-55726, an information disclosure vulnerability in Gardyn IoT Hub's Azure Blob Storage container. The container `device-log` was publicly listable, exposing sensitive device logs, SSIDs, and system configurations without authentication.

Description

The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container.

Exploits (1)

nomisec WRITEUP
by MichaelAdamGroberman · poc
https://github.com/MichaelAdamGroberman/CVE-2026-55726

This repository provides a detailed technical writeup of CVE-2026-55726, an information disclosure vulnerability in Gardyn IoT Hub's Azure Blob Storage container. The container `device-log` was publicly listable, exposing sensitive device logs, SSIDs, and system configurations without authentication.

Classification
Writeup 99%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Gardyn Home Kit, Gardyn Studio (Cloud API < 2.12.2026, Home Firmware < master.627, Studio Firmware < master.627)
No auth needed
Prerequisites: Access to the publicly listable Azure Blob Storage container `device-log` (no authentication required)
mistral-large-3 · analyzed Jul 03, 2026 Full analysis →

Scores

CVSS v3 5.3
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-497
Status published
Products (3)
Gardyn/Gardyn Cloud API < 2.12.2026
Gardyn/Gardyn Home Firmware < master.627
Gardyn/Gardyn Studio Firmware < master.627
Published Jul 03, 2026
Tracked Since Jul 03, 2026