Skip to main content

Dell Container Storage Modules CVE-2026-40711

| EUVDEUVD-2026-39652 HIGH
OS Command Injection (CWE-78)
2026-06-26 dell GHSA-6p63-373v-wp23
8.0
CVSS 3.1 · Vendor: dell
Share

Severity by source

Vendor (dell) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Remote-reachable but requires already-high cluster/storage privileges (PR:H) and non-trivial preconditions (AC:H); injected OS command yields full C/I/A impact with scope change beyond the driver (S:C).

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 14:01 EUVD
Analysis Generated
Jun 26, 2026 - 13:20 vuln.today

DescriptionCVE.org

Dell Dell Container Storage Modules, version(s) csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, csi-powermax v2.16.0, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution.

AnalysisAI

OS command injection in Dell Container Storage Modules (CSM) version 2.16.0 - spanning the csi-powerstore, csi-unity, csi-powerflex, and csi-powermax CSI drivers - lets a remote, high-privileged attacker inject and execute arbitrary operating-system commands (CWE-78). Successful exploitation yields full confidentiality, integrity, and availability impact with a scope change, meaning command execution can reach beyond the vulnerable component into the surrounding host or cluster. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged cluster/storage access
Delivery
Send crafted request to CSM CSI controller
Exploit
Inject shell metacharacters into OS command (CWE-78)
Execution
Execute arbitrary commands in driver context
Impact
Leverage scope change to reach host/cluster

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold high privileges (CVSS PR:H) - a trusted storage/cluster administrator role or an equivalently privileged, compromised service account able to interact with the CSM CSI controllers (csi-powerstore, csi-unity, csi-powerflex, or csi-powermax at v2.16.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to a high-impact but high-barrier issue rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained high-privileged access to the cluster's storage-management plane (for example, a compromised storage-admin service account token or an insider with CSM controller permissions) submits a crafted request containing shell metacharacters in a field the CSI driver passes to an OS command. Because input is not neutralized (CWE-78), the injected command executes in the driver/controller context; the scope-change (S:C) means that execution can affect the underlying host or other cluster components beyond the driver. …
Remediation Patch available per vendor advisory: upgrade Dell Container Storage Modules above the affected 2.16.0 release per Dell DSA-2026-259 (https://www.dell.com/support/kbdoc/en-za/000478300/dsa-2026-259-security-update-for-dell-container-storage-modules-multiple-vulnerabilities); the input does not include a confirmed fixed version number, so consult the advisory for the exact patched release for each driver (csi-powerstore, csi-unity, csi-powerflex, csi-powermax) and bump the corresponding Helm chart/operator image tags. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployments running CSM 2.16.0 across infrastructure; restrict administrative access to storage driver APIs; enable command-injection detection in container runtime or host-level security tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy