Description
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.
Published: 2026-04-20
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to an information disclosure vulnerability. The flaw allows an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that the attacker should not have access to. This leads to the accidental exposure of potentially sensitive operational data, compromising confidentiality of the system's telemetry and performance metrics.

Affected Systems

The affected systems are NetApp StorageGRID deployments, specifically any installations running versions older than 11.9.0.13 or 12.0.0.6. This includes all environments that have not been updated to the specified patched releases.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact, yet the vulnerability is exploitable by an authenticated user, which is common in managed storage environments. The exploit mechanism relies on the internal metrics API; thus the attack vector is assumed to be internal or local. As the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is considered low but not negligible. The primary risk is the unauthorized disclosure of metrics data to users who do not possess the correct permissions.

Generated by OpenCVE AI on April 20, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest StorageGRID patch—upgrade to version 11.9.0.13 or newer, or 12.0.0.6 or newer.
  • Configure metrics query authorization controls so that only users with explicit permissions can execute metrics queries.
  • Audit current user privileges to ensure that low‑privilege accounts do not have unnecessary access to metrics services.

Generated by OpenCVE AI on April 20, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Netapp
Netapp storagegrid
Vendors & Products Netapp
Netapp storagegrid

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Authenticated Low‑Privilege Information Disclosure via Unrestricted Metrics Queries in NetApp StorageGRID
Weaknesses CWE-200
CWE-284

Mon, 20 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Netapp Storagegrid
cve-icon MITRE

Status: PUBLISHED

Assigner: netapp

Published:

Updated: 2026-04-21T13:40:46.948Z

Reserved: 2026-01-05T22:47:18.701Z

Link: CVE-2026-22051

cve-icon Vulnrichment

Updated: 2026-04-21T13:40:37.206Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T22:16:23.367

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-22051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:13Z

Weaknesses