Skip to main content

Aws Efs Csi Driver CVE-2026-6437

| EUVDEUVD-2026-23500 MEDIUM
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-04-17 AMZN GHSA-mph4-q2vm-w2pw
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 17, 2026 - 19:33 vuln.today
CVSS changed
Apr 17, 2026 - 19:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
EUVD ID Assigned
Apr 17, 2026 - 19:15 euvd
EUVD-2026-23500
Analysis Generated
Apr 17, 2026 - 19:15 vuln.today
Patch released
Apr 17, 2026 - 19:15 nvd
Patch available
CVE Published
Apr 17, 2026 - 18:41 nvd
MEDIUM 6.9

DescriptionCVE.org

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection.

To remediate this issue, users should upgrade to version v3.0.1

AnalysisAI

Improper neutralization of argument delimiters in AWS EFS CSI Driver before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection, potentially leading to privilege escalation or unauthorized data access within Kubernetes clusters using EFS storage. The vulnerability requires high privileges (PersistentVolume admin role) but can be exploited remotely over the network with low complexity. Vendor-released patch v3.0.1 is available.

Technical ContextAI

The AWS EFS CSI Driver is a Kubernetes storage plugin that provisions and mounts Amazon Elastic File System (EFS) volumes in containerized environments. The vulnerability exists in the volume handling component responsible for constructing mount options passed to the EFS mounting subsystem. CWE-88 (Argument Injection) occurs when user-controlled input is concatenated into command-line arguments without proper escaping or delimiter validation. The driver fails to sanitize comma characters in mount option parameters, allowing attackers to inject additional mount options by breaking out of the intended parameter boundary. This is a classic shell metacharacter injection pattern where commas, used as delimiters in mount option strings, are not neutralized before being passed to the underlying mount system call. The attack surface is limited to authenticated users with Kubernetes API permissions to create or modify PersistentVolume objects.

RemediationAI

Upgrade AWS EFS CSI Driver to version v3.0.1 or later immediately. The patch is available from the GitHub release at https://github.com/kubernetes-sigs/aws-efs-csi-driver/releases/tag/v3.0.1. In Kubernetes clusters using Helm, update the aws-efs-csi-driver Helm chart to a version that includes v3.0.1 or later. For clusters managing the driver directly, pull the v3.0.1 image from the public ECR repository (amazon/aws-efs-csi-driver:v3.0.1) and update the DaemonSet deployment. After patching, restart the EFS CSI driver pods to ensure the fixed code is in use: kubectl rollout restart daemonset ebs-csi-node -n kube-system (note: namespace may vary). If immediate patching is not feasible, implement strict Kubernetes RBAC controls to limit PersistentVolume and StorageClass creation and modification to a small set of trusted cluster administrators, and audit existing PersistentVolume definitions for suspicious mount options containing unexpected comma-separated values. Network segmentation to restrict EFS API access and comprehensive mount option validation via admission controllers (e.g., OPA/Gatekeeper policies) can provide temporary compensating controls but should not replace patching.

Vendor StatusVendor

Share

CVE-2026-6437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy