How is CVE-2026-6445 exploited?

Network reachability (required): The attacker must reach the FlashArray Purity service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required. Authentication (required): A valid account is needed to exploit this flaw, but any low-privilege account is sufficient; no administrative credentials are required (PR:L). Victim interaction (not-required): No user interaction is needed; the attacker can trigger the vulnerable code path entirely on their own (UI:N). Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-6445?

Reads sensitive data accessible through the affected Purity data paths, including configuration details and potentially stored credentials or access tokens (VC:H). Modifies persisted storage configuration or data on the FlashArray system (VI:H). Crashes or disrupts the availability of the affected FlashArray Purity service (VA:H). Impact is confined to the vulnerable system; the CVSS vector records no subsequent or lateral impact on other systems in scope (SC:N, SI:N, SA:N).

Back to search

HIGHCVE-2026-6445Published 2026-06-09Modified 2026-06-09CNA Everpure

CVE-2026-6445: A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges

A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An information disclosure and privilege-escalation flaw exists in Everpure FlashArray Purity, affecting versions up to 6.5.8 and 6.10.5. The vulnerability is reachable over the network by any authenticated user holding only low-privilege credentials, with no victim interaction required. Successful exploitation gives the attacker read access to sensitive data as well as the ability to tamper with and disrupt the affected storage system. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-6445 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from FlashArray Purity base layers. Any image in a connected registry or CI pipeline that carries an affected Purity version is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 HIGH using the v4.0 vector from the record, and per-environment compliance policy weighting can escalate or adjust that priority based on each organization's risk tolerance. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Everpure releases a remediated version. Until then, compensating controls such as network policy isolation and egress filtering for affected workloads are surfaced as recommendations within the platform.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FlashArray Purity service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
AuthenticationRequired
A valid account is needed to exploit this flaw, but any low-privilege account is sufficient; no administrative credentials are required (PR:L).
Victim interactionNot required
No user interaction is needed; the attacker can trigger the vulnerable code path entirely on their own (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

Reads sensitive data accessible through the affected Purity data paths, including configuration details and potentially stored credentials or access tokens (VC:H).
Modifies persisted storage configuration or data on the FlashArray system (VI:H).
Crashes or disrupts the availability of the affected FlashArray Purity service (VA:H).
Impact is confined to the vulnerable system; the CVSS vector records no subsequent or lateral impact on other systems in scope (SC:N, SI:N, SA:N).

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-6445 at this time, the platform monitors the Everpure advisory on every ingest cycle and will surface a patched-image rebuild automatically as soon as a remediated version is released. In the meantime, customers can act on compensating-control recommendations surfaced in the platform, including applying Kubernetes network policies to restrict ingress to FlashArray Purity endpoints to known trusted sources, enabling egress filtering to limit lateral movement from compromised workloads, and where possible gating access behind additional authentication layers. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered immediately upon upstream patch availability, with median time from CVE publication to merged patch PR for high-severity issues running around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

Everpure / FlashArray
≤ 6.5.8 · ≤ 6.10.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

support.purestorage.com

Metrics

Get notified