Description
A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.
Published: 2026-06-09
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw within the FlashArray Purity management interface allows an authenticated user with limited privileges to, under specific conditions, access functionality that exceeds their authorized scope. This under‑authorship bypass represents a privilege escalation vulnerability, potentially compromising the confidentiality, integrity, and availability of the storage array. The weakness aligns with CWE‑639, reflecting an insecure handling of permissions.

Affected Systems

The vulnerability affects Everpure FlashArray appliances. No specific firmware or hardware revisions are listed in the CNA data, so all supported FlashArray models should be examined for the presence of the flaw until the vendor releases a documented fix.

Risk and Exploitability

The CVSS score of 8.6 reflects a high severity of the issue. No EPSS score is available, indicating lack of current exploitation probability data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires valid authenticated credentials of a low‑privileged account; the attacker must also satisfy the 'specific conditions' implied by the CWE‑639 entry but the concrete conditions are not detailed in the public advisory. The exploitation window therefore appears to be limited to systems with vulnerable firmware and mis‑configured user roles.

Generated by OpenCVE AI on June 9, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied firmware update that contains the privilege escalation fix
  • Re‑evaluate and tighten user role assignments to limit access to sensitive management functions
  • Enable comprehensive audit logging for identity‑to‑action mapping and review logs for unexpected privilege use

Generated by OpenCVE AI on June 9, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Everpure

Published:

Updated: 2026-06-09T20:00:56.387Z

Reserved: 2026-04-16T18:24:16.662Z

Link: CVE-2026-6444

cve-icon Vulnrichment

Updated: 2026-06-09T20:00:52.883Z

cve-icon NVD

Status : Received

Published: 2026-06-09T20:17:02.643

Modified: 2026-06-09T20:17:02.643

Link: CVE-2026-6444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses