How is CVE-2026-6444 exploited?

Network reachability (required): The management interface is exposed over the network, so the attacker must be able to reach it remotely to exploit this flaw. Authentication (required): A valid account is needed to trigger the flaw, but any low-privilege credential is sufficient; no administrative account is required. Victim interaction (not-required): No user action or social engineering is needed; the attacker operates entirely on their own. Attack complexity (info): The exploit is reliable and condition-free once the attacker has network access and a low-privilege credential, with no race conditions or special environmental configuration required.

What is the impact of CVE-2026-6444?

The attacker reads confidential data stored or managed through the FlashArray Purity management interface, including configuration details and potentially stored credentials or access keys. The attacker writes to or modifies management-plane data, including storage configuration, access control entries, or volume mappings. Confidentiality and integrity of the management interface are both fully compromised, but availability of the service itself is not directly affected by this flaw. Lateral movement is a realistic follow-on risk if the management interface controls access to other storage resources or exposes credentials usable elsewhere in the environment.

Back to search

HIGHCVE-2026-6444Published 2026-06-09Modified 2026-06-09CNA Everpure

CVE-2026-6444: A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges

A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation flaw in the Everpure FlashArray Purity management interface. An authenticated low-privileged user can, under specific conditions, access functionality beyond their assigned role by reaching the vulnerable interface over the network. Successful exploitation gives the attacker read and write access to sensitive data handled by the management plane. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as Everpure publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that incorporate affected FlashArray Purity components. Any image running a vulnerable version (FlashArray Purity 6.10.5 or earlier) is flagged automatically in the pipeline scan results.

Available

Triage

HarborGuard scores this CVE at CVSS 8.6 (HIGH) and weights it against each environment's compliance policy to determine priority and routing. Triage findings are delivered to the inbox or ticketing integration configured for each customer org, so the right team sees the alert without manual filtering.

Available

Patch

Because no fix version has been published by Everpure, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The management interface is exposed over the network, so the attacker must be able to reach it remotely to exploit this flaw.
AuthenticationRequired
A valid account is needed to trigger the flaw, but any low-privilege credential is sufficient; no administrative account is required.
Victim interactionNot required
No user action or social engineering is needed; the attacker operates entirely on their own.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker has network access and a low-privilege credential, with no race conditions or special environmental configuration required.

Blast Radius

The attacker reads confidential data stored or managed through the FlashArray Purity management interface, including configuration details and potentially stored credentials or access keys.
The attacker writes to or modifies management-plane data, including storage configuration, access control entries, or volume mappings.
Confidentiality and integrity of the management interface are both fully compromised, but availability of the service itself is not directly affected by this flaw.
Lateral movement is a realistic follow-on risk if the management interface controls access to other storage resources or exposes credentials usable elsewhere in the environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-6444 is active and will flag any image running Everpure FlashArray Purity 6.10.5 or earlier. Because Everpure has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, the rebuild and regression run will trigger automatically, and a PR will be opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation to restrict which hosts can reach the FlashArray Purity management interface, egress filtering to limit what the management plane can connect to, and auditing low-privilege accounts to reduce the set of principals who could exploit the escalation path.

See how HarborGuard automates this

Affected packages

Everpure / FlashArray
≤ 6.10.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

support.purestorage.com

Metrics

Get notified