Description
Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
Published: 2026-04-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data loss due to misapplied snapshot retention
Action: Apply Patch
AI Analysis

Impact

The flaw causes FlashArray Purity to enforce snapshot retention policies earlier or later than the administrator configured, which can delete recovery points prematurely or keep them longer than intended. This leads to loss of critical backup data, unexpected storage usage, and potential non‑compliance with retention policies. The weakness stems from improper enforcement of configured data‑retention controls, classified as CWE‑783.

Affected Systems

PureStorage FlashArray products that run Purity//FA releases older than 6.5.13, 6.7.7, 6.9.2, or 6.10.1 are vulnerable. All newer releases at or above these version thresholds are fixed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. No EPSS information is available and the issue is not listed in CISA’s KEV catalog. Exploitation requires privileged access to the management interface, and the problem surfaces under administrative misuse or misconfiguration rather than through an external attack vector.

Generated by OpenCVE AI on April 14, 2026 at 21:33 UTC.

Remediation

Vendor Solution

This issue is resolved in the following FlashArray //Purity versions: * Purity//FA 6.5.13 or later * Purity//FA 6.7.7 or later * Purity//FA 6.9.2 or later * Purity//FA 6.10.1 or later

OpenCVE Recommended Actions

  • Upgrade Purity//FA to 6.5.13 or later, or to 6.7.7 or later, or to 6.9.2 or later, or to 6.10.1 or later

Generated by OpenCVE AI on April 14, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Incorrect Snapshot Retention Timing in Pure Storage FlashArray May Lead to Data Loss

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Purestorage
Purestorage flasharray
CPEs cpe:2.3:a:purestorage:flasharray:*:*:*:*:*:*:*:*
cpe:2.3:a:purestorage:flasharray:6.10.0:*:*:*:*:*:*:*
Vendors & Products Purestorage
Purestorage flasharray

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
Weaknesses CWE-783
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Purestorage Flasharray
cve-icon MITRE

Status: PUBLISHED

Assigner: PureStorage

Published:

Updated: 2026-04-14T21:56:10.258Z

Reserved: 2025-10-30T16:39:22.241Z

Link: CVE-2026-0209

cve-icon Vulnrichment

Updated: 2026-04-14T18:55:23.161Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:41.980

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-0209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses