{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22051", "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "state": "PUBLISHED", "assignerShortName": "netapp", "dateReserved": "2026-01-05T22:47:18.701Z", "datePublished": "2026-04-20T21:27:36.822Z", "dateUpdated": "2026-04-20T21:28:04.859Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp", "dateUpdated": "2026-04-20T21:28:04.859Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "213"}]}], "affected": [{"vendor": "NETAPP", "product": "StorageGRID (formerly StorageGRID Webscale)", "versions": [{"status": "affected", "version": "0", "lessThan": "11.9.0.13", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "12.0.0.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to."}]}], "references": [{"url": "https://security.netapp.com/advisory/ntap-20260420-0001", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "source": {"advisory": "NTAP-20260420-0001", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to."}], "id": "CVE-2026-22051", "lastModified": "2026-04-20T22:16:23.367", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-alert@netapp.com", "type": "Secondary"}]}, "published": "2026-04-20T22:16:23.367", "references": [{"source": "security-alert@netapp.com", "url": "https://security.netapp.com/advisory/ntap-20260420-0001"}], "sourceIdentifier": "security-alert@netapp.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:57:33.474083+00:00", "value": {"mitigation_remediation": ["Apply the latest StorageGRID patch\u2014upgrade to version 11.9.0.13 or newer, or 12.0.0.6 or newer.", "Configure metrics query authorization controls so that only users with explicit permissions can execute metrics queries.", "Audit current user privileges to ensure that low\u2011privilege accounts do not have unnecessary access to metrics services."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected systems are NetApp StorageGRID deployments, specifically any installations running versions older than 11.9.0.13 or 12.0.0.6. This includes all environments that have not been updated to the specified patched releases.", "description_and_impact": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to an information disclosure vulnerability. The flaw allows an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that the attacker should not have access to. This leads to the accidental exposure of potentially sensitive operational data, compromising confidentiality of the system's telemetry and performance metrics.", "risk_and_exploitability": "The CVSS score of 2.3 indicates a low severity impact, yet the vulnerability is exploitable by an authenticated user, which is common in managed storage environments. The exploit mechanism relies on the internal metrics API; thus the attack vector is assumed to be internal or local. As the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is considered low but not negligible. The primary risk is the unauthorized disclosure of metrics data to users who do not possess the correct permissions."}}}}, "created": "2026-04-21T00:00:13.345711+00:00", "title": "Authenticated Low\u2011Privilege Information Disclosure via Unrestricted Metrics Queries in NetApp StorageGRID", "updated": "2026-04-21T00:00:13.345723+00:00", "vendors": [], "weaknesses": ["CWE-200", "CWE-284"]}