Skip to main content

Pure Storage FlashArray CVE-2026-6445

| EUVDEUVD-2026-35792 HIGH
Improper Authorization in Handler for Custom URL Scheme (CWE-939)
2026-06-09 Everpure GHSA-w284-7936-m8j9
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 22:22 vuln.today
CVSS changed
Jun 09, 2026 - 20:22 NVD
8.7 (HIGH)
CVE Published
Jun 09, 2026 - 18:40 nvd
UNKNOWN (no severity yet)

DescriptionNVD

A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.

AnalysisAI

Information disclosure in Pure Storage FlashArray Purity (versions 6.5.0-6.5.8 and 6.10.0-6.10.5) allows an authenticated low-privileged user to retrieve sensitive data via insufficiently filtered data paths. The flaw carries a CVSS 4.0 score of 8.7 with high confidentiality, integrity, and availability impact, but SSVC indicates no public exploitation and the attack is not automatable. No public exploit has been identified at the time of analysis.

Technical ContextAI

FlashArray Purity is the operating environment that powers Pure Storage's all-flash enterprise storage arrays, providing block, file, and management APIs over the network. The weakness is classified as CWE-939 (Improper Authorization in Handler for Custom URL Scheme), indicating that specific request paths or handlers fail to apply adequate authorization filtering before returning data. In practice this means certain administrative or data-retrieval endpoints honor requests from low-privileged authenticated sessions and surface information that should be gated behind higher-privilege roles. The CPE string 'cpe:2.3:a:everpure:flasharray' appears to reference the FlashArray product family within the Purity environment, though the vendor namespace deviates from typical Pure Storage CPE entries and should be cross-checked against the vendor advisory.

RemediationAI

No vendor-released patched version is independently confirmed in the provided data; upgrade beyond the affected ranges (past 6.5.8 on the 6.5 train and past 6.10.5 on the 6.10 train) once Pure Storage publishes a fixed Purity release, consulting the security bulletins page at https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html for the exact target version. As compensating controls until the patch is staged, tighten Purity RBAC so that low-privilege roles cannot reach the management API, restrict the management network to a dedicated admin VLAN with jump-host access only, rotate credentials for any low-privilege Purity accounts that may have been shared, and enable audit logging on the array to detect anomalous read activity from low-privilege users. Trade-offs: locking down the management VLAN may break monitoring integrations that poll the API, and disabling low-privilege accounts can disrupt automation pipelines that rely on read-only credentials.

Share

CVE-2026-6445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy