StorageGRID: Malicious requests can delete configuration data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.1

StorageGRID: Malicious requests can delete configuration data

CVE-2026-22048

Summary

StorageGRID versions prior to 11.9.0.12 and 12.0.0.4 with Single Sign-on enabled and Azure AD configured as an identity provider are at risk. An attacker can delete important setup data or lock out access to certain resources. Update to the latest version to fix this issue.

Original title

Original description

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.12 and 12.0.0.4 with Single Sign-on enabled and configured to use Microsoft Entra ID (formerly Azure AD) as an IdP are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an authenticated attacker with low privileges to delete configuration data or deny access to some resources.

nvd CVSS3.1 7.1

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://security.netapp.com/advisory/NTAP-20260217-0001

Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026