Description
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.
Published: 2026-04-20
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to an information disclosure vulnerability. The flaw allows an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that the attacker should not have access to. This leads to the accidental exposure of potentially sensitive operational data, compromising confidentiality of the system's telemetry and performance metrics.

Affected Systems

The affected systems are NetApp StorageGRID deployments, specifically any installations running versions older than 11.9.0.13 or 12.0.0.6. This includes all environments that have not been updated to the specified patched releases.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact, yet the vulnerability is exploitable by an authenticated user, which is common in managed storage environments. The exploit mechanism relies on the internal metrics API; thus the attack vector is assumed to be internal or local. As the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is considered low but not negligible. The primary risk is the unauthorized disclosure of metrics data to users who do not possess the correct permissions.

Generated by OpenCVE AI on April 20, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest StorageGRID patch—upgrade to version 11.9.0.13 or newer, or 12.0.0.6 or newer.
  • Configure metrics query authorization controls so that only users with explicit permissions can execute metrics queries.
  • Audit current user privileges to ensure that low‑privilege accounts do not have unnecessary access to metrics services.

Generated by OpenCVE AI on April 20, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Authenticated Low‑Privilege Information Disclosure via Unrestricted Metrics Queries in NetApp StorageGRID
Weaknesses CWE-200
CWE-284

Mon, 20 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: netapp

Published:

Updated: 2026-04-20T21:28:04.859Z

Reserved: 2026-01-05T22:47:18.701Z

Link: CVE-2026-22051

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T22:16:23.367

Modified: 2026-04-20T22:16:23.367

Link: CVE-2026-22051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses