Home / Vulnerability Intelligence / CVE-2026-25197

CVE-2026-25197 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 3, 2026

Generic Product - Broken Access Control

Published: April 3, 2026Updated: April 3, 2026PoC AvailableRemote Exploitable

Overview

A specific product contains a broken access control vulnerability caused by insufficient authorization checks on user ID in API calls, letting authenticated users access other user profiles by modifying the ID, exploit requires authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Authenticated users can access other user profiles, leading to unauthorized data exposure.

Mitigation

Update to the latest version with proper authorization checks.

References

Social Media Activity(1 post)

OffSequence

@offseq

Apr 4, 2026

🚨 CVE-2026-25197 (CRITICAL): Gardyn Cloud API lets authenticated users access other profiles by tweaking ID in API calls (CWE-639). No patch yet — restrict access & monitor for abuse. Details: https://radar.offseq.com/threat/cve-2026-25197-cwe-639-in-gardyn-cloud-api-0887f9ef #OffSeq #APIsecurity #CVE202625197

View original post

GitHub Repositories(1 repo)

https://github.com/MichaelAdamGroberman/CVE-2026-25197

Related Resources

Details

CVE ID: CVE-2026-25197
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: new
EPSS: 2.8%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days