Skip to main content

FlashArray Purity CVE-2026-6444

| EUVDEUVD-2026-35793 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-09 Everpure GHSA-x9xp-vjfv-m6vr
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 22:23 vuln.today
CVSS changed
Jun 09, 2026 - 20:22 NVD
8.6 (HIGH)
CVE Published
Jun 09, 2026 - 18:40 nvd
UNKNOWN (no severity yet)

DescriptionNVD

A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.

AnalysisAI

Privilege escalation in the Pure Storage FlashArray Purity management interface allows an authenticated low-privileged user to invoke functionality reserved for higher-privileged roles, yielding high confidentiality and integrity impact on managed storage. The CVSS 4.0 score of 8.6 reflects network reach with only low privileges required and no user interaction, though no public exploit identified at time of analysis and SSVC marks exploitation status as none.

Technical ContextAI

FlashArray Purity is the storage operating environment that runs on Pure Storage FlashArray appliances and exposes a web/REST management interface for administrators. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class weakness where the application checks authentication but fails to consistently enforce per-action or per-object authorization, letting a logged-in user reference or invoke resources tied to a higher role. Despite the input tag of 'Authentication Bypass', the CVSS vector (PR:L) and CWE confirm this is an authorization (not authentication) failure occurring after a valid login. The affected CPE 'cpe:2.3:a:everpure:flasharray' appears to be a non-canonical vendor string; the description and version range point to Pure Storage's FlashArray Purity software.

RemediationAI

Patch availability is not explicitly stated in the provided data, so treat this as: patch availability not independently confirmed at time of analysis - consult the Pure Storage security bulletins page (https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html) for the fixed Purity release covering the 6.10.0-6.10.5 range, and upgrade to the first release outside that band once published. As compensating controls until the fixed version is applied: restrict management-plane network reachability to a dedicated administrative VLAN or jump host (trade-off: breaks ad-hoc admin access from user networks); audit and prune all low-privileged Purity accounts, removing any that are unused or shared (trade-off: may disrupt monitoring scripts using read-only credentials); enable and forward Purity audit logs to a SIEM with alerts on role-elevation or unexpected API endpoint usage by non-admin accounts (trade-off: requires baseline tuning to avoid noise); and rotate credentials for low-privileged accounts in case any have been previously compromised.

Share

CVE-2026-6444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy