Skip to main content

Storagegrid Formerly Storagegrid Webscale EUVDEUVD-2026-23952

| CVE-2026-22051 LOW
Information Exposure (CWE-200)
2026-04-20 netapp GHSA-4fw6-xxwg-9332
2.3
CVSS 4.0 · Vendor: netapp

Severity by source

Vendor (netapp) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (netapp) · only source for this CVE.

CVSS VectorVendor: netapp

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 21, 2026 - 16:20 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 00:17 vuln.today
Patch available
Apr 20, 2026 - 22:31 EUVD
CVSS changed
Apr 20, 2026 - 22:22 NVD
2.3 (LOW)
EUVD ID Assigned
Apr 20, 2026 - 21:45 euvd
EUVD-2026-23952
Analysis Generated
Apr 20, 2026 - 21:45 vuln.today
CVE Published
Apr 20, 2026 - 21:27 nvd
LOW 2.3

DescriptionCVE.org

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.

AnalysisAI

StorageGRID versions before 11.9.0.13 and 12.0.0.6 allow authenticated attackers with low privileges to execute arbitrary metrics queries, exposing metric data they lack authorization to access. The vulnerability requires low-privilege authentication and specific timing conditions but poses direct information disclosure risk in multi-tenant or role-restricted deployments where metric visibility should be compartmentalized.

Technical ContextAI

StorageGRID is NetApp's distributed object storage platform. The vulnerability exists in the metrics query execution subsystem, which permits authenticated users to construct and submit arbitrary metrics queries without proper authorization enforcement. The metrics API or query interface fails to validate that the requesting user has appropriate access controls for the specific metrics being queried, allowing privilege escalation within the authenticated session. The CPE designation cpe:2.3:a:netapp:storagegrid_(formerly_storagegrid_webscale) confirms this affects NetApp's StorageGRID product family across all configurations. Root cause involves insufficient access control validation (CWE context implies authorization bypass rather than cryptographic or injection flaws).

RemediationAI

Vendor-released patch: upgrade StorageGRID to version 11.9.0.13 or later, or upgrade to version 12.0.0.6 or later depending on your current branch. Consult https://security.netapp.com/advisory/ntap-20260420-0001 for step-by-step upgrade procedures and version compatibility. If immediate upgrade is not feasible, implement network-level access controls to restrict authenticated access to the metrics query endpoints (typically exposed on the Admin Node or API endpoints) to only authorized users and systems, and audit logs for unauthorized metrics query attempts to detect exploitation. Organizations should verify that metrics API endpoints are not unnecessarily exposed to untrusted network segments and review role-based access control (RBAC) settings to confirm that low-privilege accounts do not require unrestricted metrics visibility.

Share

EUVD-2026-23952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy