CVE-2026-22050

MEDIUM

Netapp Ontap - IDOR

Title source: rule

Description

ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.

References (1)

[Vendor Advisory] https://security.netapp.com/advisory/NTAP-20260112-0001

Scores

CVSS v3 4.3

EPSS 0.0005

EPSS Percentile 15.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

netapp/ontap 9.16.1 (9 CPE variants)

netapp/ontap 9.17.1 (2 CPE variants)

Published Jan 12, 2026

Tracked Since Feb 18, 2026