## https://sploitus.com/exploit?id=99BCD30E-0C37-56F5-ACF1-88ECFDD410F1
> **CERT/CC VU#653116** | [CISA Advisory ICSA-26-055-03](https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03) | [All CVEs](https://github.com/MichaelAdamGroberman/ICSA-26-055-03)
# CVE-2026-28767: Missing Authentication on Admin Notifications Endpoint
## Classification
- **CVE:** [CVE-2026-28767](https://vulners.com/cve/CVE-2026-28767)
- **Gr0m ID:** Gr0m-009
- **CVSS 3.1:** 5.3 (Medium)
- **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
- **Status:** CONFIRMED
---
## Summary
The `/api/admin/notifications` administrative endpoint is accessible without authentication, exposing internal notification system data and administrative communications.
---
## Endpoint
```
GET https://gardyn-api-deploy-prod.azurewebsites.net/api/admin/notifications
Authentication: NONE
```
---
## Systemic Pattern
Part of a broader missing-authentication pattern on the Gardyn `/api/admin/*` path. Both this endpoint and `/api/admin/devices` ([CVE-2026-32646](https://github.com/MichaelAdamGroberman/CVE-2026-32646)) lack authentication, suggesting the entire admin API namespace was deployed without access controls.
---
## Impact
- Information disclosure of internal administrative communications
- Visibility into operational processes and system events
- Notification template and targeting data exposure
- Reconnaissance value for identifying system behavior
---
## Remediation
1. Require admin authentication on all `/api/admin/*` endpoints
2. Implement role-based access control
3. Audit all endpoints under `/api/admin/` for missing authentication
---
## Full Technical Writeup
See [CVE-2026-28767.md](CVE-2026-28767.md) for the complete CISA-aligned advisory.
---
**Researcher:** Gr0m