Description
ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.
Published: 2026-01-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

The vulnerability allows a privileged remote attacker to configure snapshot expiration to none on NetApp ONTAP 9, meaning snapshots will never be automatically purged. This can lead to unbounded growth of stored data, potentially exhausting storage capacity and violating retention policies. The weakness is a lack of proper access control, represented by CWE‑639.

Affected Systems

NetApp ONTAP 9.16.1 versions prior to P9 and 9.17.1 versions prior to P2, when snapshot locking is enabled.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium risk level. The EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not yet listed in the CISA KEV catalog. It requires a privileged user with network access to the ONTAP management interface; the attacker must be able to send configuration commands over the network. Because of the limited target scope, the potential impact is confined to environments using these specific ONTAP releases.

Generated by OpenCVE AI on April 18, 2026 at 07:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the affected ONTAP installations to version 9.16.1P9 or 9.17.1P2 or later.
  • Disable snapshot locking until the patch is applied.
  • Implement storage usage monitoring to detect anomalous growth of snapshots.

Generated by OpenCVE AI on April 18, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Snapshot Expiry Misconfiguration in NetApp ONTAP 9

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Netapp ontap
CPEs cpe:2.3:a:netapp:ontap:9.16.1:-:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p1:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p2:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p3:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p4:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p5:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p6:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p7:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.16.1:p8:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.17.1:-:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9.17.1:p1:*:*:*:*:*:*
Vendors & Products Netapp ontap
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Netapp
Netapp ontap 9
Vendors & Products Netapp
Netapp ontap 9

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Netapp Ontap Ontap 9
cve-icon MITRE

Status: PUBLISHED

Assigner: netapp

Published:

Updated: 2026-01-13T17:30:51.952Z

Reserved: 2026-01-05T22:47:18.701Z

Link: CVE-2026-22050

cve-icon Vulnrichment

Updated: 2026-01-12T17:36:56.967Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T18:15:48.983

Modified: 2026-01-22T17:58:22.053

Link: CVE-2026-22050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses