CVE-2026-22048
📋 TL;DR
StorageGRID versions with Single Sign-on enabled and configured to use Microsoft Entra ID are vulnerable to Server-Side Request Forgery (SSRF). This allows authenticated low-privilege attackers to delete configuration data or deny access to resources. Only affects systems with specific SSO configuration.
💻 Affected Systems
- NetApp StorageGRID (formerly StorageGRID Webscale)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of configuration data leading to service disruption, potential data loss, and denial of access to critical storage resources.
Likely Case
Partial configuration deletion causing service degradation, temporary access denial to some storage resources, and operational disruption.
If Mitigated
Limited impact due to proper access controls, monitoring, and network segmentation preventing exploitation.
🎯 Exploit Status
Requires authenticated access with low privileges. SSRF exploitation requires specific knowledge of internal endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.9.0.12 or 12.0.0.4
Vendor Advisory: https://security.netapp.com/advisory/NTAP-20260217-0001
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download appropriate patch version from NetApp Support Site. 3. Apply patch following StorageGRID upgrade procedures. 4. Restart services as required. 5. Verify SSO functionality post-upgrade.
🔧 Temporary Workarounds
Disable Entra ID SSO
allTemporarily disable Single Sign-on configuration using Microsoft Entra ID
Use StorageGRID Manager to navigate to SSO configuration and disable Entra ID integration
Restrict User Access
allTighten access controls and implement least privilege for authenticated users
Review and reduce user permissions in StorageGRID access control settings
🧯 If You Can't Patch
- Implement strict network segmentation to isolate StorageGRID management interfaces
- Enhance monitoring for configuration changes and unusual SSO-related activities
🔍 How to Verify
Check if Vulnerable:
Check StorageGRID version via admin interface and verify if SSO with Entra ID is enabledCheck Version:
Login to StorageGRID Manager and check version in System Information or use API: GET /api/v3/grid/configVerify Fix Applied:
Confirm version is 11.9.0.12 or higher (for 11.x) or 12.0.0.4 or higher (for 12.x)📡 Detection & Monitoring
Log Indicators:
- Unexpected configuration deletion events
- SSO authentication anomalies
- Unusual internal API calls from user sessions
Network Indicators:
- Abnormal HTTP requests to internal endpoints from authenticated sessions
- Unexpected outbound requests from StorageGRID to internal systems
SIEM Query:
source="StorageGRID" AND (event_type="config_change" OR auth_method="sso") AND action="delete"