CVE-2026-22051
Information Disclosure in StorageGRID Metrics Queries Allows Data Exposure
Publication date: 2026-04-20
Last updated on: 2026-04-21
Assigner: NetApp, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netapp | storagegrid | to 12.0.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects StorageGRID versions prior to 11.9.0.13 and 12.0.0.6. It is an Information Disclosure vulnerability that allows an authenticated attacker with low privileges to run arbitrary metrics queries. By exploiting this, the attacker can access metric results that they are not authorized to see.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker with low privileges to run arbitrary metrics queries, potentially revealing metric results they should not have access to.
Such unauthorized information disclosure could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information.
However, the provided information does not specify the nature of the disclosed metrics or whether they include personal or protected health information.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with low-level access can obtain sensitive information through unauthorized metrics queries. This could lead to exposure of internal system metrics or data that should be restricted, potentially aiding further attacks or information gathering.