{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-13768/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-07-02T23:40:32.780Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-13768","@id":"https://www.cve.org/CVERecord?id=CVE-2026-13768","description":"Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary commands on a specific connected device and may allow the malicious user to pivot to other devices on the user's network."},"products":[{"@id":"cpe:2.3:a:gardyn:gardyn_home_firmware:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:gardyn:gardyn_home_firmware:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:gardyn:gardyn_studio_firmware:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:gardyn:gardyn_studio_firmware:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:gardyn:gardyn_cloud_api:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:gardyn:gardyn_cloud_api:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 2.12.2026, master.627.","timestamp":"2026-07-02T23:40:32.780Z"}]}