CVE-2026-6445: FlashArray Purity Information Disclosure

CVE-2026-6445 Overview

CVE-2026-6445 is an information disclosure vulnerability in Pure Storage FlashArray Purity. The flaw results from insufficient filtering of certain data paths within the platform. An authenticated user with low privileges can exploit the weakness to access sensitive information that should remain restricted. The issue is tracked under [CWE-939: Improper Authorization in Handler for Custom URL Scheme], reflecting weaknesses in how the product enforces access boundaries on specific resource paths. Pure Storage published details in its security bulletins portal. The vulnerability is network-accessible and requires no user interaction, increasing the practical attack surface in shared storage environments.

Critical Impact

An authenticated low-privileged user can retrieve sensitive data from FlashArray Purity by abusing improperly filtered data paths, undermining storage-tier confidentiality and integrity assumptions.

Affected Products

• Pure Storage FlashArray Purity (specific versions listed in vendor security bulletins)
• Pure Storage management interfaces exposed to authenticated users
• Environments where low-privileged FlashArray accounts are provisioned for operational tasks

Discovery Timeline

• 2026-06-09 - CVE-2026-6445 published to the National Vulnerability Database (NVD)
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-6445

Vulnerability Analysis

The vulnerability resides in how FlashArray Purity filters access to specific data paths. Authorization checks on these paths are insufficient, allowing accounts that hold only low privileges to read data outside their intended scope. The result is an information disclosure condition that affects both confidentiality and integrity assumptions of the storage platform. Because FlashArray devices commonly hold consolidated workloads, any leakage from privileged data paths can expose configuration data, operational metadata, or other sensitive content used by administrators and applications. The flaw is exploitable over the network against the management plane, which broadens the population of potential attackers to any authenticated user reachable from corporate networks or remote administrative segments.

Root Cause

The root cause is improper authorization enforcement on specific resource paths handled by FlashArray Purity, consistent with [CWE-939]. The platform accepts requests from low-privileged sessions and processes them without applying the filtering needed to scope responses to that user's privilege level. Sensitive content traverses the response path and reaches the requesting client.

Attack Vector

An attacker first acquires valid low-privileged credentials through legitimate provisioning, credential reuse, or prior compromise. The attacker then issues network requests to FlashArray Purity targeting the affected data paths. No user interaction is required, and the requests appear as routine authenticated traffic. Refer to the Pure Storage Security Bulletins for technical specifics on the vulnerable endpoints.

Detection Methods for CVE-2026-6445

Indicators of Compromise

• Unusual volumes of authenticated API or management requests originating from low-privileged FlashArray accounts.
• Access patterns from service or operator accounts that touch administrative or configuration data paths outside their normal scope.
• Authentication sessions from network segments that historically do not interact with the FlashArray management plane.

Detection Strategies

• Baseline normal request patterns per FlashArray user role and alert on deviations that involve sensitive data endpoints.
• Correlate Purity audit logs with identity provider logs to confirm whether low-privileged sessions are issuing requests inconsistent with their assigned duties.
• Review HTTP response sizes and content categories returned to low-privileged sessions to surface oversized or unexpected payloads.

Monitoring Recommendations

• Forward FlashArray Purity audit and access logs to a centralized analytics platform for retention and search.
• Monitor for repeated access attempts against the same data paths across multiple low-privileged accounts, which can indicate reconnaissance.
• Alert on new or rarely used API endpoints being accessed by accounts that traditionally rely on a narrow subset of operations.

How to Mitigate CVE-2026-6445

Immediate Actions Required

• Apply the fixed Purity release identified in the Pure Storage Security Bulletins as soon as the maintenance window allows.
• Audit all FlashArray user accounts and remove or downgrade accounts that no longer require management-plane access.
• Rotate credentials and API tokens for low-privileged accounts that interact with the FlashArray management interface.

Patch Information

Pure Storage publishes fixed versions and remediation guidance through its security bulletins portal. Administrators should consult the Pure Storage Security Bulletins for the exact Purity releases that address CVE-2026-6445 and follow the documented upgrade procedure for their array model.

Workarounds

• Restrict network access to the FlashArray management plane using firewalls or access control lists so that only trusted administrative subnets can connect.
• Enforce multi-factor authentication on identity providers fronting FlashArray access to reduce risk from credential reuse.
• Review and tighten role assignments so low-privileged accounts only retain the minimum permissions required for their function.

# Configuration example: restrict management plane access at the network edge
# Replace addresses with your administrative subnets and array management IP
iptables -A INPUT -p tcp -s 10.10.0.0/24 -d <flasharray_mgmt_ip> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -d <flasharray_mgmt_ip> --dport 443 -j DROP