Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.
AnalysisAI
Information disclosure in Pure Storage FlashBlade allows high-privileged network attackers to access sensitive data through log files. Affects FlashBlade versions 4.0.0-4.4.8, 4.5.0-4.5.13, and 4.6.0-4.6.3. The vulnerability (CWE-532: insertion of sensitive information into log file) has a CVSS 4.0 score of 8.5, indicating high confidentiality impact with scope change, but requires high privileges. No public exploit or active exploitation confirmed at time of analysis. EPSS data not yet available for this recently disclosed CVE.
Technical ContextAI
This vulnerability stems from CWE-532 (Insertion of Sensitive Information Into Log File), a common security weakness where applications write sensitive data-such as credentials, session tokens, API keys, or personally identifiable information-to log files without proper sanitization. FlashBlade is Pure Storage's scale-out file and object storage platform designed for unstructured data workloads. The affected product spans multiple major release branches (4.0.x through 4.6.x), suggesting a longstanding architectural issue in the logging subsystem. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) with low attack complexity (AC:L) but requiring high privileges (PR:H), meaning legitimate administrators or users with elevated access could inadvertently or maliciously extract sensitive information from logs. The scope change (SC:H/SI:H/SA:H) indicates the vulnerability impacts resources beyond the vulnerable component's security scope, potentially exposing data from other tenants or system components managed by the FlashBlade appliance.
RemediationAI
Upgrade affected FlashBlade appliances to patched versions beyond the vulnerable ranges: upgrade 4.0.x-4.4.x branch installations to version 4.4.9 or later, upgrade 4.5.x installations to version 4.5.14 or later, and upgrade 4.6.x installations to version 4.6.4 or later (exact patched versions should be confirmed from Pure Storage security bulletin). Organizations should follow Pure Storage's upgrade procedures for FlashBlade, which typically involve non-disruptive rolling upgrades across controller nodes. Consult the official security advisory at https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html for specific remediation guidance and any interim workarounds. As an immediate mitigation measure, restrict access to FlashBlade management interfaces and log files to minimum necessary privileged users, implement enhanced monitoring for log access by administrative accounts, and review existing logs for potential sensitive data exposure. Consider implementing additional log redaction or sanitization controls if available in the FlashBlade management interface. After patching, rotate any credentials or sensitive information that may have been exposed in historical log files.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22653
GHSA-rrmf-6vf5-86v9