Description
A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.
Published: 2026-06-09
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Certain data paths in FlashArray Purity are not properly filtered, allowing an authenticated user with low privileges to access sensitive information. The flaw leads to an information‑disclosure vulnerability identified as CWE‑939, where data that should not be exposed becomes available through unfiltered paths. The consequence is that confidentiality of system data is compromised for users who would normally have limited access.

Affected Systems

The vulnerability affects Everpure FlashArray, but specific product versions are not disclosed in the available data. Users of any FlashArray deployment that includes the impacted component should verify their version against vendor advisories.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity issue, and while the EPSS score is not available, the lack of listing in CISA KEV suggests no publicly reported exploitation to date. The likely attack vector is local or network‑based authentication that reaches the data paths in question; once logged in with low privileges, an attacker can read sensitive data. There are no additional prerequisites such as elevated privileges or special configuration, making this vulnerability readily exploitable for any authenticated user within reach of the system.

Generated by OpenCVE AI on June 9, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch issued for this FlashArray Purity flaw
  • Limit user permissions to the minimal required level and enforce least privilege
  • Enable logging and audit trails to detect anomalous data access attempts

Generated by OpenCVE AI on June 9, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Title Authentication‑Level Data Path Leakage in FlashArray Purity

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.
Weaknesses CWE-939
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Everpure

Published:

Updated: 2026-06-09T20:03:07.992Z

Reserved: 2026-04-16T18:24:18.478Z

Link: CVE-2026-6445

cve-icon Vulnrichment

Updated: 2026-06-09T20:03:04.272Z

cve-icon NVD

Status : Received

Published: 2026-06-09T20:17:02.800

Modified: 2026-06-09T20:17:02.800

Link: CVE-2026-6445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses