Cyber Resilience

CVE-2026-22048

High

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0002 5.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22048 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22048 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting NetApp StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.12 and 12.0.0.4. The issue arises when Single Sign-on (SSO) is enabled and configured to use Microsoft Entra ID (formerly Azure AD) as the identity provider (IdP). It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high availability impact with low integrity impact and no confidentiality impact.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to delete configuration data or deny access to certain resources, potentially disrupting operations.

NetApp has published security advisory NTAP-20260217-0001, available at https://security.netapp.com/advisory/NTAP-20260217-0001, which provides details on mitigation. Upgrading to StorageGRID version 11.9.0.12 or 12.0.0.4 resolves the vulnerability.

EU & UK References

Vulnerability details

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.12 and 12.0.0.4 with Single Sign-on enabled and configured to use Microsoft Entra ID (formerly Azure AD) as an IdP are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow…

more

an authenticated attacker with low privileges to delete configuration data or deny access to some resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in a network-accessible StorageGRID web application directly enables exploitation of a public-facing (or remotely reachable) service for impact such as data deletion or denial of service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates untrusted URL or redirect inputs in the SSO/Entra ID flow to block forged server-side requests that enable config deletion or DoS.

prevent

Enforces boundary controls on outbound HTTP requests initiated by StorageGRID during SSO, limiting SSRF reach to internal configuration resources.

prevent

Requires prompt application of the vendor patches (11.9.0.12 / 12.0.0.4) that eliminate the SSRF flaw in the Entra ID integration.

References