Skip to main content

FlashBlade CVE-2026-0207

| EUVDEUVD-2026-22653 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-04-14 psirt@purestorage.com GHSA-rrmf-6vf5-86v9
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:39 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 18:22 euvd
EUVD-2026-22653
Analysis Generated
Apr 14, 2026 - 18:22 vuln.today
CVE Published
Apr 14, 2026 - 18:16 nvd
HIGH 8.5

DescriptionCVE.org

A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.

AnalysisAI

Information disclosure in Pure Storage FlashBlade allows high-privileged network attackers to access sensitive data through log files. Affects FlashBlade versions 4.0.0-4.4.8, 4.5.0-4.5.13, and 4.6.0-4.6.3. The vulnerability (CWE-532: insertion of sensitive information into log file) has a CVSS 4.0 score of 8.5, indicating high confidentiality impact with scope change, but requires high privileges. No public exploit or active exploitation confirmed at time of analysis. EPSS data not yet available for this recently disclosed CVE.

Technical ContextAI

This vulnerability stems from CWE-532 (Insertion of Sensitive Information Into Log File), a common security weakness where applications write sensitive data-such as credentials, session tokens, API keys, or personally identifiable information-to log files without proper sanitization. FlashBlade is Pure Storage's scale-out file and object storage platform designed for unstructured data workloads. The affected product spans multiple major release branches (4.0.x through 4.6.x), suggesting a longstanding architectural issue in the logging subsystem. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) with low attack complexity (AC:L) but requiring high privileges (PR:H), meaning legitimate administrators or users with elevated access could inadvertently or maliciously extract sensitive information from logs. The scope change (SC:H/SI:H/SA:H) indicates the vulnerability impacts resources beyond the vulnerable component's security scope, potentially exposing data from other tenants or system components managed by the FlashBlade appliance.

RemediationAI

Upgrade affected FlashBlade appliances to patched versions beyond the vulnerable ranges: upgrade 4.0.x-4.4.x branch installations to version 4.4.9 or later, upgrade 4.5.x installations to version 4.5.14 or later, and upgrade 4.6.x installations to version 4.6.4 or later (exact patched versions should be confirmed from Pure Storage security bulletin). Organizations should follow Pure Storage's upgrade procedures for FlashBlade, which typically involve non-disruptive rolling upgrades across controller nodes. Consult the official security advisory at https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html for specific remediation guidance and any interim workarounds. As an immediate mitigation measure, restrict access to FlashBlade management interfaces and log files to minimum necessary privileged users, implement enhanced monitoring for log access by administrative accounts, and review existing logs for potential sensitive data exposure. Consider implementing additional log redaction or sanitization controls if available in the FlashBlade management interface. After patching, rotate any credentials or sensitive information that may have been exposed in historical log files.

Share

CVE-2026-0207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy