Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.
AnalysisAI
Privilege escalation in the Pure Storage FlashArray Purity management interface allows an authenticated low-privileged user to invoke functionality reserved for higher-privileged roles, yielding high confidentiality and integrity impact on managed storage. The CVSS 4.0 score of 8.6 reflects network reach with only low privileges required and no user interaction, though no public exploit identified at time of analysis and SSVC marks exploitation status as none.
Technical ContextAI
FlashArray Purity is the storage operating environment that runs on Pure Storage FlashArray appliances and exposes a web/REST management interface for administrators. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class weakness where the application checks authentication but fails to consistently enforce per-action or per-object authorization, letting a logged-in user reference or invoke resources tied to a higher role. Despite the input tag of 'Authentication Bypass', the CVSS vector (PR:L) and CWE confirm this is an authorization (not authentication) failure occurring after a valid login. The affected CPE 'cpe:2.3:a:everpure:flasharray' appears to be a non-canonical vendor string; the description and version range point to Pure Storage's FlashArray Purity software.
RemediationAI
Patch availability is not explicitly stated in the provided data, so treat this as: patch availability not independently confirmed at time of analysis - consult the Pure Storage security bulletins page (https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html) for the fixed Purity release covering the 6.10.0-6.10.5 range, and upgrade to the first release outside that band once published. As compensating controls until the fixed version is applied: restrict management-plane network reachability to a dedicated administrative VLAN or jump host (trade-off: breaks ad-hoc admin access from user networks); audit and prune all low-privileged Purity accounts, removing any that are unused or shared (trade-off: may disrupt monitoring scripts using read-only credentials); enable and forward Purity audit logs to a SIEM with alerts on role-elevation or unexpected API endpoint usage by non-admin accounts (trade-off: requires baseline tuning to avoid noise); and rotate credentials for low-privileged accounts in case any have been previously compromised.
More in Flasharray
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35793
GHSA-x9xp-vjfv-m6vr