Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (netapp) · only source for this CVE.
CVSS VectorVendor: netapp
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.
AnalysisAI
StorageGRID versions before 11.9.0.13 and 12.0.0.6 allow authenticated attackers with low privileges to execute arbitrary metrics queries, exposing metric data they lack authorization to access. The vulnerability requires low-privilege authentication and specific timing conditions but poses direct information disclosure risk in multi-tenant or role-restricted deployments where metric visibility should be compartmentalized.
Technical ContextAI
StorageGRID is NetApp's distributed object storage platform. The vulnerability exists in the metrics query execution subsystem, which permits authenticated users to construct and submit arbitrary metrics queries without proper authorization enforcement. The metrics API or query interface fails to validate that the requesting user has appropriate access controls for the specific metrics being queried, allowing privilege escalation within the authenticated session. The CPE designation cpe:2.3:a:netapp:storagegrid_(formerly_storagegrid_webscale) confirms this affects NetApp's StorageGRID product family across all configurations. Root cause involves insufficient access control validation (CWE context implies authorization bypass rather than cryptographic or injection flaws).
RemediationAI
Vendor-released patch: upgrade StorageGRID to version 11.9.0.13 or later, or upgrade to version 12.0.0.6 or later depending on your current branch. Consult https://security.netapp.com/advisory/ntap-20260420-0001 for step-by-step upgrade procedures and version compatibility. If immediate upgrade is not feasible, implement network-level access controls to restrict authenticated access to the metrics query endpoints (typically exposed on the Admin Node or API endpoints) to only authorized users and systems, and audit logs for unauthorized metrics query attempts to detect exploitation. Organizations should verify that metrics API endpoints are not unnecessarily exposed to untrusted network segments and review role-based access control (RBAC) settings to confirm that low-privilege accounts do not require unrestricted metrics visibility.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23952
GHSA-4fw6-xxwg-9332