Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.
AnalysisAI
Information disclosure in Pure Storage FlashArray Purity (versions 6.5.0-6.5.8 and 6.10.0-6.10.5) allows an authenticated low-privileged user to retrieve sensitive data via insufficiently filtered data paths. The flaw carries a CVSS 4.0 score of 8.7 with high confidentiality, integrity, and availability impact, but SSVC indicates no public exploitation and the attack is not automatable. No public exploit has been identified at the time of analysis.
Technical ContextAI
FlashArray Purity is the operating environment that powers Pure Storage's all-flash enterprise storage arrays, providing block, file, and management APIs over the network. The weakness is classified as CWE-939 (Improper Authorization in Handler for Custom URL Scheme), indicating that specific request paths or handlers fail to apply adequate authorization filtering before returning data. In practice this means certain administrative or data-retrieval endpoints honor requests from low-privileged authenticated sessions and surface information that should be gated behind higher-privilege roles. The CPE string 'cpe:2.3:a:everpure:flasharray' appears to reference the FlashArray product family within the Purity environment, though the vendor namespace deviates from typical Pure Storage CPE entries and should be cross-checked against the vendor advisory.
RemediationAI
No vendor-released patched version is independently confirmed in the provided data; upgrade beyond the affected ranges (past 6.5.8 on the 6.5 train and past 6.10.5 on the 6.10 train) once Pure Storage publishes a fixed Purity release, consulting the security bulletins page at https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html for the exact target version. As compensating controls until the patch is staged, tighten Purity RBAC so that low-privilege roles cannot reach the management API, restrict the management network to a dedicated admin VLAN with jump-host access only, rotate credentials for any low-privilege Purity accounts that may have been shared, and enable audit logging on the array to detect anomalous read activity from low-privilege users. Trade-offs: locking down the management VLAN may break monitoring integrations that poll the API, and disabling low-privilege accounts can disrupt automation pipelines that rely on read-only credentials.
More in Flasharray
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35792
GHSA-w284-7936-m8j9