CVE-2026-22051
Received Received - Intake
Information Disclosure in StorageGRID Metrics Queries Allows Data Exposure

Publication date: 2026-04-20

Last updated on: 2026-04-21

Assigner: NetApp, Inc.

Description
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22051
EUVD
EUVD-2026-23952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netapp storagegrid to 12.0.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects StorageGRID versions prior to 11.9.0.13 and 12.0.0.6. It is an Information Disclosure vulnerability that allows an authenticated attacker with low privileges to run arbitrary metrics queries. By exploiting this, the attacker can access metric results that they are not authorized to see.

Impact Analysis

The impact of this vulnerability is that an attacker with low-level access can obtain sensitive information through unauthorized metrics queries. This could lead to exposure of internal system metrics or data that should be restricted, potentially aiding further attacks or information gathering.

Compliance Impact

This vulnerability allows an authenticated attacker with low privileges to run arbitrary metrics queries, potentially revealing metric results they should not have access to.

Such unauthorized information disclosure could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information.

However, the provided information does not specify the nature of the disclosed metrics or whether they include personal or protected health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart